Hi everyone,
so in order to avoid ambiguities, I’d like that we formalize the different concepts used in CVSS calculator within XWiki vocabulary, starting with the “Privileges Required” concept which is a bit blurry.
For CVSS there’s only 3 levels for Privileges Required: None, Low or High.
Note that in the following when I’m talking about “standard XWiki right” I mean the right scheme that is bundled by default.
I propose the following matrix:
- None: Apply for any vulnerability that might be done with Guest user with standard XWiki right, AND with Guest user with Comment right as it’s a supported UC in XWiki which is supposed to prevent giving more rights to Guest
- Low: Apply for any vulnerability that might be done with registered users with standard XWiki right (note that it includes Script right for XWiki < 14.10)
- High: Apply for any vulnerability that involves more right than the standard XWiki right (can be allowing Script right for XWiki 14.10+, or Delete on the whole wiki, admin on a space etc)
I propose to document this in our policy. wdyt?