so on the same idea than Formalize CVSS "Privileges Required" level for XWiki advisories I’d like that we formalize the CVSS interpretation we use when computing CVSS for XSS related security issues.
There is some examples how such security issues should be computed, for example in: CVSS v3.1 Examples where you can see that the 3 impacts (availability, integrity, confidentiality) are set to High. So my proposal would be that we use the same pattern for XSS and that we follow @MichaelHamann rule:
For me the logic is normally to evaluate XSS with the interaction of a user with programming rights.
Note that it means that some advisories we published in the past have a severity lower than they should have had (e.g. XSS in Filter Stream Converter Application · Advisory · xwiki/xwiki-platform · GitHub)
If we agree on that rule, I’ll document it so that we can refer on it directly in our advisories.