CVSS Calculator Full Explanation

 

Exploitability Metrics

Attack Vector(AV)

Network (N) – The attacker can exploit the vulnerability remotely over the internet. (Highest Severity)
Example: Exploiting a web server via a crafted HTTP request.

Adjacent Network (A) – The attacker must be on the same local network segment. (High Severity)
Example: Attacking a router using vulnerabilities available only on the same Wi-Fi network.

Local: Needs access to the operating system, not the device. (Medium Severity)
Example: Running a malicious program after login.

Physical: Needs hands-on access to the device.   (Lowest Severity)
Example: Plugging in a malicious USB. 

Attack Complexity:

Scanerio: We have one network environment that is easily exploitable. Hence, the attack complexity is chosen to be LOW.

Scenario 2: We have one network environment that is hard to exploit. Hence, the attack complexity is chosen to HIGH.

🔐 Privilege Required (PR) Levels

1️⃣ PR: None (N)

Attacker needs no login or account.
They can exploit the system completely unauthenticated.

Example Scenario:

A public web form allows remote code execution just by sending a crafted request.

• No username

• No password

• No session

➡️ Most dangerous because anyone on the internet can exploit it.

---

2️⃣ PR: Low (L)

Attacker needs a basic or minimal account, such as a normal user.
No admin or elevated privileges required.

Example Scenario:

A regular user in an application can exploit a bug to read other users’ data.

• Needs a login

• But does not need admin rights

➡️ Limited barrier → moderately severe.

---

3️⃣ PR: High (H)

Attacker needs high-level or administrative privileges before exploiting.
They must already control the system to some extent.

Example Scenario:

An admin must be logged in, and then a bug allows them to escalate to full root access.

• Requires admin/root/privileged account

• Attacker must already have strong access

➡️ Least severe, because attackers already need high privileges.

👤 User Interaction (UI)

1️⃣ UI: None (N)

The attacker can exploit the vulnerability without any help from the user.
The system is exploited automatically.

Example Scenario:

A vulnerable web server is hacked by sending a malicious HTTP request.

• No clicks

• No downloads

• No user action

➡️ More severe, because the attacker can act alone.

---

2️⃣ UI: Required (R)

The attacker needs the victim to perform an action for the attack to succeed.

Example Scenario:

A malicious PDF exploits a vulnerability only when the user opens the file.

• User must click

• Or open a link

• Or run a file

➡️ Less severe, because the attacker relies on social engineering.

🔭 Scope (S) in CVSS

Scope tells whether a vulnerability can break out of its original security boundary (like a sandbox, container, VM, or application boundary).

---

1️⃣ Scope: Unchanged (U)

The impact stays within the same security boundary.
The vulnerability only affects the component where it exists.

Example Scenario:

A bug inside a web application lets attackers read internal data of that same app, but cannot escape to the server OS or other apps.

➡️ Severity is lower because the attacker cannot affect other systems.

---

2️⃣ Scope: Changed (C)

The impact crosses into a different security boundary.
The vulnerability allows the attacker to escape from the component to another system.

Example Scenario:

A browser vulnerability allows a malicious website to escape the browser sandbox and execute code on the host OS.

➡️ Severity is higher because the attack impacts additional systems or privileges.

Impacts:

Confidentiality:

LOW - Disclose email id's.

High - Disclose the credit cards numbers.

Integrity:

Low - Impact - Modify address of user profile.

High - Impact - Modify the password of the user profile.

Availability:

Low - Temporary not able to access the application.

High - A long period of time not able to access the application.