Security Risk Levels
Security Risk Levels Defined
The following information is provided as a general guideline for determining security risk levels.
Highly Critical (5 of 5):
Remotely exploitable vulnerabilities that can compromise the system. Interaction is not normally
required for this exploit to be successful. Exploits have occurred to systems.
Previous examples include: Local file inclusion on Windows, Impersonation, privilege escalation
Critical (4 of 5):
Remotely exploitable Denial of Service (DOS) vulnerabilities that can compromise the system but
do require user interaction. Vulnerabilities that allow may allow anonymous users (i.e. users not registered at the site) to log in as a site user or take administrative actions. Interaction (such as an administrator viewing a particular page) may be required for this exploit to be successful, or in cases where interaction is not required (such as CSRF) the exploit causes only minor damage.
Previous examples include: OpenID impersonation, SQL injection
Moderately Critical (3 of 5):
Remotely exploitable vulnerabilities than can compromise the system. Interaction (such as an administrator viewing a particular page) is required for this exploit to be successful. Exploits have not yet occurred on systems when vulnerability was disclosed. The exploit requires the user to be registered at the site and have some non-default permission, such as creating content.
Previous examples include: Cross Site Scripting, Access bypass
Less Critical (2 of 5):Session fixation, Cross site request forgery
Used for cross-site request forgery vulnerabilities as well as privilege escalation vulnerabilities which require complex chains of events.
This rating also includes vulnerabilities which might expose sensitive data to local users.
Previous examples include: Session fixation, Cross site request forgery
Not Critical (1 of 5):
Rating is used for limited privilege escalation vulnerabilities and locally Denial of Service (DOS) vulnerabilities.
Previous examples include: Access bypass