CVSS3 score for XSS leading to account takeover
Let's say there is a XSS vulnerability in a web application. The XSS allows an attacker to hijack the user's session. Within the session, the attacker can view/modify the user's credit card and billing information, and even make a purchase using the user's credit card. This has a critical impact to the attacked user(s), however, CVSS3 only seems to take into consideration the impact to the whole web application (?).
Since the XSS is easy to reproduce, the attacker could run this attack on many users, so the question is:
According to the CVSS3 specs (see the tables below), which of the following options suits best (if any):
Option 1 (CVSS 6.1)
- Scope: Changed
- User interaction: Required
- Attack complexity: Low
- Confidentiality: Low
- Integrity: Low
Option 2 (CVSS 9.3)
- Scope: Changed
- User interation: Required
- Attack complexity: Low
- Confidentiality: High
- Integrity: High
Option 3 (CVSS 8.0)
- Scope: Changed
- User interation: Required
- Attack complexity: High
- Confidentiality: High
- Integrity: High
I was advised to choose the option 3 based on the following criteria:
- Achieving a
High
impact forConfidentiality
andIntegrity
would require to compromise most or all user accounts in the web application. - Doing so, would require the attacker to make a considerable effort by exploiting the XSS at a large scale (hence
Attack complexity: High
).
Do you agree with this criteria? If not, which option would you choose?
Your opinions are very much appreciated.
Appendix
Confidentiality
Value | Description |
---|---|
High (H) | There is a total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server. |
Low (L) | There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is limited. The information disclosure does not cause a direct, serious loss to the impacted component. |
Integrity
Value | Description |
---|---|
High (H) | There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the impacted component. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the impacted component. |
Low (L) | Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact on the impacted component. |