Common Vulnerability Scoring System (CVSS) is a method used to supply a qualitative measure of severity.
Critical (9.0 – 10.0)
Vulnerabilities that score in the critical range usually have most of the following characteristics:
These vulnerabilities can allow attackers to take complete control of your resources. In exploiting this type of vulnerability, attackers could carry out a range of malicious acts including (but not limited to):
On exploiting such vulnerabilities, attackers can access and control logged-in user or administrator accounts, enabling them to hijack accounts and make changes that typically only those users can.
Suggested Action for Critical Severity Vulnerabilities
A Critical severity vulnerability means that resources can be exploited at any time. It is advised to make it the highest priority to fix these vulnerabilities immediately via patching, upgrading or other mitigation measures. Once a fix action has been implemented, rescan the affected resource to ensure the vulnerability or weakness has been mitigated.
High (7.0 – 8.9)
Vulnerabilities that score in the high range usually have some of the following characteristics:
On exploiting such vulnerabilities, attackers can view information about your system that helps them find or exploit other vulnerabilities that enable them to take control of your website and access sensitive user and administrator information.
Suggested Action for High Severity Vulnerabilities
A High severity vulnerability means that resources can be exploited and attackers can find other vulnerabilities which have a bigger impact. Fix these types of vulnerabilities immediately. Once a fix action has been implemented, rescan the affected resource to ensure the vulnerability or weakness has been mitigated.
Medium (4.0 – 6.9)
Vulnerabilities that score in the medium range usually have some of the following characteristics:
By exploiting Medium Severity Vulnerabilities, attackers will gain information and reconnaissance useful for their attack. Medium Severity vulnerabilities are often used to better understand your system, allowing them to refine and escalate the attacks. Such vulnerabilities can sometimes be connected, to increase the potential damage of the attack.
Suggested Action for Medium Severity Vulnerabilities
Most of the time, since the impact of Medium severity vulnerabilities is not direct, you should first focus on fixing High severity vulnerabilities. However, Medium severity vulnerabilities should still be addressed at the earliest possible opportunity.
Low (0.1 – 3.9)
Do not overly concern efforts towards resources with low severity vulnerabilities. These types of issues do not have any significant impact and are likely not exploitable.
Suggested Action For Low Severity Vulnerabilities
If time and budget allows, it is worth investigating and fixing Low severity vulnerabilities .
Reported simply as supporting information for a resource, as they may not have a direct impact but could help an attacker to gain a better understanding of your underlying systems.
Suggested Action for Informational Alerts
In most cases, no action or fix is required.
Want to find out how many issues you have? Contact us today and ask about CATSCAN from ProactiveRISK
This is my blog, there are many like it but this one is mine. Enjoy.