The Common Vulnerability Scoring System Version 3.0 rates the severity of vulnerability depending on factors such as:
- Attack Vector (AV) - What kind of access does an attacker need? Can they do it over the net or do they need physical access?
- Attack Complexity (AC) - Does the attack work every time or do very specific circumstances outside the attacker's control need to be in place?
- Privileges Required (PR) - What kind of privileges does the attacker need for this attack to be successful?
- User Interaction (UI) - Does the user need to interact with the attacker in a certain way for the attack to be successful?
- Scope (S) - Does the vulnerability affect the same, or a different component?
- Confidentiality (C) - How does this vulnerability affect the confidentiality of data?
- Integrity (I) - How does this vulnerability affect the integrity of data?
- Availability (A) - How does this vulnerability affect the availability of data?
I am somewhat confused with Privileges Required (PR), especially how to rate certain vulnerabilities. Here is the definition of Privileges Required, according to the CVSS3 Specification v1.8:
Privileges Required (PR)
This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability. This metric if greatest if no privileges are required. The list of possible values is presented in Table 3.
Table 3: Privileges Required:
- None (N): The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack.
- Low (L): The attacker is authorized with (i.e. requires) privileges that provide basic user capabilities that could normally affect only settings and files owned by a user. Alternatively, an attacker with Low privileges may have the ability to cause an impact only to non-sensitive resources.
- High (H): The attacker is authorized with (i.e. requires) privileges that provide significant (e.g. administrative) control over the vulnerable component that could affect component-wide settings and files.
Now imagine the following attack scenario: A company creates a forum for their community, in which people can create posts. Signatures of users are put below each post. A user can include a malicious <script>
-tag in their signature to create a stored XSS-attack on anyone reading any of their posts.
How would this be rated?
My reasoning would be that the privileges required are "None (N)", as the attacker does not require any access to settings or files to carry out an attack. However, I have heard people arguing that this would be classified as "Low (L)", as the attacker does indeed need an account to use the forum software and therefore is not unprivileged.