Comments (5)
Hi @Osamax,
Firs of all thank you for taking your time to provide such a good video PoC, that often makes a difference.
Bugcrowd's VRT classifies CSV Injection as accepted risk which is how this kind of issues is recognized by most of the industry (a good reference here). However we do give our customers the opportunity to review P5 issues and upgrade/reward based on their preference. We also leave the ASE's room for occasional upgrades based on critical context as it's the case with the VRT in general.
Hope that helps!
from vulnerability-rating-taxonomy.
Thanks for your reply, but what should i do now? do i have to convince the Program which i reported this vulnerability that this issue is of a higher risk? because one of the Program guy told me that i should file an issue here on github, so i'm a bit confused that what to do next.
from vulnerability-rating-taxonomy.
If you believe that the context of a particular issue is critical enough to warrant upgrading the default priority as an exception you are welcome to make your case in your report. If you believe that you did your best to explain the risk, please accept that the Application Security Engineer validating your submission made a well informed decision.
This GitHub repository is where we shape the VRT. By filing an issue you are debating whether a vulnerability is properly classified by Bugcrowd's Vulnerability Rating Taxonomy.
from vulnerability-rating-taxonomy.
Yes i believe that the context of this issue is critical, which was well explained in the Video POC, and i want to file an issue.
from vulnerability-rating-taxonomy.
I agree, if an application affords you an avenue to deliver command execution on a client - assuming a file is safe to handle because of a inherent trust of the app they are using - CSV injection should be high
from vulnerability-rating-taxonomy.
Related Issues (20)
- Addition - HTML Content Injection HOT 1
- Update - PII Leakage updated to Sensitive Information Leak HOT 3
- Why Blind XSS can't be P1 While Massive PII is leakage? HOT 1
- SSRF as it's own top-category HOT 2
- infinite 301 HOT 4
- Text injection - needs higher priority HOT 4
- Content spoofing - needs higher priority HOT 1
- New IDOR Variants HOT 10
- Change of "Sensitive Data Exposure > Disclosure of Secretes > Intentionally Public, Sample or Invalid"
- Add unnecessary open port on server misconfiguration in P1 HOT 1
- Add LLM VRT Entries HOT 11
- Server Security Misconfiguration > Unsafe File Upload > File Extension Filter Bypass should be higher severity HOT 5
- Server side Language And Configured Sensitive Data Blank Files > Disclosure of Secrets > For Public Accessable Assets HOT 1
- read-only IDOR P3 requires differentiation HOT 3
- Update VRT language to remove ambiguity between subcategories HOT 1
- P5 - Server Security Misconfiguration -> Missing Subresource Integrity (SRI) Checks
- Edit/Modify Non-Sensitive Information IDOR should be categorzed as P4
- What priority is account takeover? HOT 1
- VRT Addition - Hardware and Physical Security HOT 5
- Reconsider severity for "Indicators of compromise" HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from vulnerability-rating-taxonomy.