following the proposal made this morning about the Severity of security issues, I want to propose performing the following changes in the dedicated section about CVSS computation practices:
CVSS 4.0 needs to be systematically used now
by default, for any vulnerability that needs Script right should, computed impact should be set to Low: the Script right already offers a lot of power to users and escalation issue with them shouldn’t necessarily be a priority here so they shouldn’t get a score > 7 all the time (which is systematically the case for High impact)
I think we need some more arguments/explanation on the “the Script right already offers a lot of power to users and escalation issue with them shouldn’t necessarily be a priority here” part.
For me, it’s not because escalation issues are not important (they are) but more because:
We don’t give Script Rights by default and giving them should be documented as risky (with explanations) and the recommendation should be to avoid giving them to untrusty users.
Fixing the sandboxing of SR is difficult and since there’s a workaround (avoiding giving SR to users in general), it’s less of a priority than some other security issues (e.g. escalation issues without SR).
Am I correct?
I don’t know enough about it so I’ll say +0 from me.
Should the other thread be closed in favor of this one?