CVSS- Common Vulnerability Score Calculator - Immersive Labs Exercise

Y01SY01S Member Posts: 1 ■□□□□□□□□□

Hello everybody! 

So I’m doing some exercises on Immersive Labs on a Calculator CVSS 3.1 Base where you need to analyse a cybersecurity problem and base on that, the calculator will give you a score on how severe the attack is. 

I’m struggling to try to Classify the attacks and I would like to ask for any reading/video/study material recommendation on how to better understand how to classify the vulnerabilities. I DON’T KNOW WHICH OPTION TO CHOOSE  ON THE CALCULATOR.

Follow an example that is on the exercise. Apart from that, there are many other problems that vary from SQL injection to compromised Servidors with loads of details in each case.  I checked the official material of the calculator but still not sure about how to classify it. 

Example -Base Score Metrics

The screenshot below shows the score calculation for an unauthenticated stored XSS on a publicly available website when the HTTPOnly flag is not assigned to cookies.

The CVSS vector for this is AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N.


I’m sorry if it is a silly question, I’m new in the cybersecurity world. 

Cheers   :)B)


  • Options
    LonerVampLonerVamp Member Posts: 518 ■■■■■■■■□□
    The official documentation is actually pretty clear. They also have lots of examples both in the spec and in a separate section.

    For the example above, an XSS on a public website pretty much means it's over the network.
    Attack complexity for an XSS is probably low.
    You don't need to be an administrator for this to work, so no privileges required.
    An XSS does need someone to visit the page, so user interaction is a yes.

    Scope is more complicated. For the XSS, the vulnerability is within the website hosting the payload, but the impact is on the browser security model. It's pretty easy to get confused here, so I'd consult examples. It's pretty easy to have a Scope change, though.

    The 3 CIA values are specific to various organizations and are optional. For instance, if you have vulnerability A on 4 different servers, and 3 of those servers are test boxes on an isolated network, and the other is exposed to the Internet, you probably want them scored differently in order to know which ones are the worst risk for you. CIA helps provide that.

    Is there a particular category that you're worse at?

    Security Engineer/Analyst/Geek, Red & Blue Teams
    OSCP, GCFA, GWAPT, CISSP, OSWP, AWS SA-A, AWS Security, Sec+, Linux+, CCNA Cyber Ops, CCSK
    2021 goals: maybe AWAE or SLAE, bunch o' courses and red team labs?
Sign In or Register to comment.