Microsoft Vulnerability Severity Classification for Online Services (original) (raw)
Highly Confidential
Critical
XSS that can compromise user session tokens or sensitive cookies with no victim interaction or actions required
Confidential
Important
XSS that can compromise user session tokens or sensitive cookies
General
Moderate
XSS triggering on public pages that does not disclose private data or allow the compromise of an authenticated session
Public
Low
XSS requiring a victim to input the malicious code themselves
Highly Confidential
Critical
Vulnerability allowing attacker to authenticate as another highly privileged user or cross tenant without victim’s interaction
Confidential
Important
Vulnerability allowing authenticated attacker within a tenant to elevate their privilege
General
N/A
Read only access to a web directory that should be authenticated, like a directory that contains generic images for an internal only site, but no sensitive information is obtainable
Public
Highly Confidential
Critical
Missing access controls exposes sensitive data from another customer
Confidential
Important
An unprivileged user accessing data intended for privileged user
General
Moderate
An unprivileged user viewing non-sensitive data without permission
Public
Low
An unprivileged user viewing non-sensitive data that’s not intended to be public
(SQL injection and Command injection)
Highly Confidential
Critical
Injection leading to elevation of privilege to a different tenant
Confidential
Important
Injection leading to elevation of privilege in the same tenant
General
Public
Moderate
Blind SQL Injection with no sensitive information disclosed
Cross-Site Request Forgery (CSRF)
Highly Confidential
Critical
CSRF vulnerability performing highly privileged administrative action, like allowing account credential reset on any user in an Azure service
Confidential
Important
CSRF vulnerability resulting in the change of a user’s email address and subsequent account takeover
General
Moderate
CSRF vulnerability allowing a minor change to an users account, like adding a personal note to a user’s account
Public
Low
A CSRF vulnerability on an unauthenticated form
Server-Side Request Forgery (SSRF)
Highly Confidential
Critical
Cross tenant information disclosure or elevation of privilege after reaching internal servers
Confidential
Important
SSRF vulnerability sending requests to sensitive internal endpoints that leaks sensitive information or performs a sensitive action
General
Moderate
Blind SSRF reaching ports that should not be open
Public
Low
Blind SSRF that is only used for port scanning
Deserialization of Untrusted Data
Highly Confidential
Critical
Deserialization leading to unauthenticated cross tenant remote code execution
Confidential
Important
Deserialization leading to compromise of a system that processes data belonging to the current user
General
Moderate
Deserialization leading to Server Denial of Service
Public
Low
Deserialization triggering only an HTTP 500 error with no other impact to the system
Highly Confidential
Critical
Default admin credentials that access an important resource
Confidential
Important
URL redirect in an OAuth flow that leaks the OAuth token
General
Low
Clickjacking due to lack of the X-FRAME-OPTIONS response header or lack of frame-ancestors in a CSP
Public
Low
Missing length check on web app form leading to denial of service for the user, requiring them to refresh the page
Highly Confidential
Critical
Improper CORS (trusted origin) validation leading to disclosure of tokens with excessive permissions
Confidential
Important
Improper CORS (trusted origin) validation
General
Moderate
Access-Control-Allow-Origin header in response reflecting any value put in Origin header in the request, along with Access-Control-Allow-Credentials being set to true
Public
Low
Access-Control-Allow-Origin header in the response has been set to ‘*’ with no additional exploitation
Highly Confidential
Critical
Tampering with request parameters affects the application’s logic and allows for cross tenant information exposure, privilege escalation
Confidential
Important
Changing a parameter’s value affects the application’s logic, resulting in an exposure of sensitive information or allows the user to perform a sensitive action
General
Moderate
Tampering with input parameters that can only cause visual cosmetic changes to the user interface
Public
Low
Modifying input parameters that make the user interface difficult to use