CVSS scoring is one of those things most pentesters do by feel until a client or QSA challenges a score. Then you realise you've been guessing.
CVSS 3.1 is a formula. Once you understand the inputs, the score follows automatically. Here is how it works.
What CVSS Actually Measures:
CVSS measures the characteristics of a vulnerability itself, not its risk in any specific environment. The base score assumes worst case. The attacker is motivated, the system is internet-facing, no compensating controls exist.
That matters because clients push back constantly. "We have a WAF." "That system is internal only." Those are environmental factors that affect an adjusted score, not the base score. The base score measures the vulnerability, not the client's deployment.
The Eight Metrics:
Attack Vector is about how the vulnerability is exploited. Network means it is exploitable remotely. Adjacent needs local network access. Local needs system access. Physical needs hands on the hardware. Most web bugs are Network.
Attack Complexity is about reliability. Low means the attack works every time with no special conditions. High means specific conditions outside the attacker's control are needed.
Privileges Required is straightforward. None means no login needed. Low means a regular user account. High means admin access is required.
User Interaction is either None or Required. None means the attacker does it alone. Required means a victim has to click a link or take some action.
Scope tells you whether the impact stays within the vulnerable component or spills into other systems.
Confidentiality, Integrity, and Availability are each rated None, Low, or High. High means total loss of that property.
How Common Findings Actually Score
Stored XSS stealing session cookies comes out around 8.2. SQL injection with full database read hits 9.8. An IDOR exposing other users' data lands around 6.5. Self-XSS that requires the victim to paste code themselves drops to around 4.7.
Always include the full vector string in your report, not just the number. It lets clients and QSAs verify your scoring instead of arguing about it.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Where People Go Wrong:
Mixing up Attack Complexity with how hard a bug was to find. AC is about reliability of exploitation, not discovery difficulty.
Setting Scope to Changed when the impact stays within the same component. Changed only applies when exploitation can cross into systems outside the vulnerable component's security boundary.
Overrating Integrity impact. A note field that reflects input is not High integrity. High means the attacker can modify anything.
Forgetting User Interaction on reflected XSS. If the victim has to click a link it is Required, which drops the score significantly compared to stored XSS that fires automatically.
One Last Thing:
If you want to skip doing this manually every time, I built a free CVSS calculator that calculates the base score and outputs the full vector string instantly. Try it at pentestreportai.com/cvss-calculator and drop the vector straight into your report.
Top comments (0)