Release v1.4 · bugcrowd/vulnerability-rating-taxonomy

Available on Bugcrowd here: https://bugcrowd.com/vulnerability-rating-taxonomy/1.4

Added

insufficient_security_configurability.weak_password_reset_implementation.token_is_not_invalidated_after_login
server_side_injection.content_spoofing.rtlo
mapping of VRT to CWE
server_security_misconfiguration.dbms_misconfiguration.excessively_privileged_user_dba
cross_site_scripting_xss.stored.url_based
server_security_misconfiguration.oauth_misconfiguration.insecure_redirect_uri
server_security_misconfiguration.oauth_misconfiguration.account_takeover
client_side_injection.binary_planting.non_default_folder_privilege_escalation
broken_authentication_and_session_management.weak_login_function.not_operational
broken_authentication_and_session_management.weak_login_function.other_plaintext_protocol_no_secure_alternative
broken_authentication_and_session_management.weak_login_function.lan_only
broken_authentication_and_session_management.weak_login_function.http_and_https_available
broken_authentication_and_session_management.weak_login_function.https_not_available_or_http_by_default
cross_site_scripting_xss.ie_only.ie11
cross_site_scripting_xss.ie_only.older_version_ie11
broken_authentication_and_session_management.failure_to_invalidate_session.on_logout_server_side_only
sensitive_data_exposure.sensitive_token_in_url.user_facing
sensitive_data_exposure.sensitive_token_in_url.in_the_background
sensitive_data_exposure.sensitive_token_in_url.on_password_reset
mapping of VRT to Remediation Advice

Removed

server_side_injection.sql_injection.error_based
server_side_injection.sql_injection.blind
broken_authentication_and_session_management.weak_login_function.over_http
cross_site_scripting_xss.ie_only.older_version_ie_10_11
cross_site_scripting_xss.ie_only.older_version_ie10
broken_authentication_and_session_management.failure_to_invalidate_session.on_password_reset
network_security_misconfiguration.telnet_enabled.credentials_required
server_security_misconfiguration.using_default_credentials.production_server
server_security_misconfiguration.using_default_credentials.staging_development_server

Changed

Use unittest for vrt validations
broken_authentication_and_session_management.failure_to_invalidate_session.all_sessions name changed from "All Sessions" to "Concurrent Sessions On Logout"
server_security_misconfiguration.oauth_misconfiguration.missing_state_parameter name changed from "Missing State Parameter" to "Missing/Broken State Parameter"
server_security_misconfiguration.oauth_misconfiguration.missing_state_parameter priority changed from P4 to null
server_security_misconfiguration.no_rate_limiting_on_form.login priority changed from P3 to P4
client_side_injection.binary_planting.privilege_escalation name changed from "Privilege Escalation" to "Default Folder Privilege Escalation" priority changed from P4 to P3
server_security_misconfiguration.lack_of_password_confirmation.change_email_address priority changed from P4 to P5
server_security_misconfiguration.lack_of_password_confirmation.change_password priority changed from P4 to P5
server_security_misconfiguration.unsafe_file_upload.no_antivirus priority changed from P4 to P5
server_security_misconfiguration.unsafe_file_upload.no_size_limit priority changed from P4 to P5
broken_authentication_and_session_management.failure_to_invalidate_session.on_logout name changed from "On Logout" to "On Logout (Client and Server-Side)"
broken_authentication_and_session_management.failure_to_invalidate_session.on_password_change name changed from "On Password Change" to "On Password Reset and/or Change"
network_security_misconfiguration.telnet_enabled priority changed from null to P5 (due to children removal)
server_security_misconfiguration.using_default_credentials priority changed from null to P1 (due to children removal)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

v1.4

Added

Removed

Changed