To get some arguments, I asked an LLM (Llama 3.3 70B Instruct to be precise) to explain the reasoning for the XSS assessment to me. The key argument it provided is the following:
The reasoning behind this classification is that the vulnerability itself does not directly compromise the confidentiality or integrity of the SharePoint Server. Instead, it allows an attacker to exploit the vulnerability to attack the user’s browser, which is a subsequent system. The impact on the user’s browser is what leads to the compromise of confidentiality and integrity, rather than a direct impact on the SharePoint Server.
I find this reasoning interesting as it kind of makes sense (but only kind of, I find it still strange). Basically, the user’s browser is considered a normally secure environment that can be attacked through XSS. When asked, the LLM also explained that the scoring should be changed if it allowed executing actions in the name of an admin user. I don’t put any trust into these statements (it’s an LLM), but I find the reasoning interesting. It would basically mean that for pure XSS, we should basically put high risk for the subsequent system and no impact on the system itself.
There is an interesting discussion web application - CVSS3 score for XSS leading to account takeover - Information Security Stack Exchange that talks about this also. If I understand the mention there directly, one could also consider the user’s browser the attacked system and the web application the subsequent system, but this seems a bit far-fetched to me (and it is not clear to me if this is really what the author meant).