Differences in how the National Vulnerability Database (NVD) and vendors score bugs can make patch prioritization harder, study says.

A new study this week is sure to raise more questions for enterprise security teams on the wisdom of relying on vulnerability scores in the National Vulnerability Database (NVD) alone to make patch prioritization decisions.

An analysis by VulnCheck of 120,000 CVEs with CVSS v3 scores associated with them shows almost 25,000 — or some 20% — had two severity scores. One score was from NIST, which maintains the NVD, and the other from the vendor of the product with the bug. In many cases, these two scores differed, making it hard for security teams to know which to trust.

**High Rate of Conflict**

Approximately 56%, or 14,000, of the vulnerabilities with two severity scores had conflicting scores, meaning the one assigned by NIST and the score from the vendor did not match. Where a vendor might have assessed a particular vulnerability to be of moderate severity, NIST might have assessed it as severe.

As one example, VulnCheck pointed to CVE-2023-21557, a denial-of-service vulnerability in the Windows Lightweight Directory Access Protocol (LDAP). Microsoft assigned the vulnerability a "high" severity rating of 7.5 on the 10-point CVSS scale. NIST gave it a score of 9.1, making it a "critical" vulnerability. Information on the vulnerability in the NVD provided no insight on why the scores differed, VulnCheck said. The vulnerability database is peppered with numerous other similar instances.

That high conflict rate can set back remediation efforts for organizations that are resource-strapped in vulnerability management teams, says Jacob Baines, vulnerability researcher at VulnCheck. "A vulnerability management system that heavily relies on CVSS scoring will sometimes prioritize vulnerabilities that aren't critical," he says. "Prioritizing the wrong vulnerabilities will squander vulnerability management teams' most critical resource: time."

VulnCheck researchers found other differences in the way NIST and vendors included specific information about flaws in the database. They decided to look at cross-site scripting (XSS) and cross-site request forgery (CSRF) vulnerabilities in the NVD.

The analysis showed the primary source — typically NIST — assigned 12,969 of the 120,000 CVEs in the database as an XSS vulnerability, while secondary sources listed a much smaller 2,091 as XSS. VulnCheck found that secondary sources were much less likely to indicate that an XSS flaw requires user interaction to exploit. CSRF flaw scores showed similar differences.

"XSS and CSRF vulnerabilities always require user interaction," Baines says. "User interaction is a scoring element of CVSSv3 and is present in the CVSSv3 vector." Examining how often XSS and CSRF vulnerabilities in NVD include that information provides insight into the scale of scoring mistakes in the database, he says.

**Severity Scores Alone Not the Answer**

Severity scores based on the Common Vulnerability Severity Scale (CVSS) are meant to give patching and vulnerability management teams a straightforward way to understand the severity of a software vulnerability. It informs the security professional whether a flaw presents a low, medium, or severe risk, and often provides context around a vulnerability that the software vendor might not have provided when assigning a CVE to the bug.

Numerous organizations use the CVSS standard when assigning severity scores to vulnerabilities in their products, and security teams commonly use the scores to decide the order in which they apply patches to vulnerable software in the environment.

Despite its popularity, many have previously cautioned against solely relying on CVSS reliability scores for patch prioritization. In a Black Hat USA 2022 session, Dustin Childs and Brian Gorenc, both researchers with Trend Micro's Zero Day Initiative (ZDI), pointed to multiple issues like the lack of information around a bug's exploitability, its pervasiveness, and how accessible it might be to attack as reasons why CVSS scores alone are not enough.

"Enterprises are resource constrained, so they typically have to prioritize which patches they roll out," Childs told Dark Reading. "However, if they get conflicting information, they can end up spending resources on bugs that are unlikely to ever be exploited."

Organizations often rely on third-party products to help them prioritize vulnerabilities and decide what to patch first, Childs notes. Often, they tend to give preference to the CVSS from the vendor rather than another source like NIST.

"But vendors can't always be relied on to be transparent on the real risk. Vendors don't always understand how their products are deployed, which can lead to differences in the operational risk to a target," he says.

Childs and Bains advocate that organizations should consider information from multiple sources when making decisions around vulnerability remediation. They should also consider factors such as whether a bug has a public exploit for it in the wild, or whether it is being actively exploited.

"To accurately prioritize a vulnerability, organizations need to be able to answer the following questions," Baines says. "Does this vulnerability have a public exploit? Has this vulnerability been exploited in the wild? Is this vulnerability being used by ransomware or APT? Is this vulnerability likely to be Internet-exposed?"

Discrepancies Discovered in Vulnerability Severity Ratings

Clockwork Web before 0.1.2, when used with Rails before 5.2 is used, allows Cross-Site Request Forgery (CSRF). A CSRF attack works by getting an authorized user to visit a malicious website and then performing requests on behalf of the user. In this instance, actions include enabling and disabling jobs. All users running an affected release on Rails < 5.2 should upgrade immediately.


**Clockwork Web contains a Cross-Site Request Forgery Vulnerability with Rails < 5.2**

Moderate severity GitHub Reviewed Published Feb 2, 2023 to the GitHub Advisory Database • Updated Feb 2, 2023

GHSA-p4xx-w6fr-c4w9: Clockwork Web contains a Cross-Site Request Forgery Vulnerability with Rails < 5.2

Clockwork Web before 0.1.2, when Rails before 5.2 is used, allows CSRF.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    
    *   Explore
    *   All features
    *   Documentation
    *   GitHub Skills
    *   Blog
    
*   *   For
    *   Enterprise
    *   Teams
    *   Startups
    *   Education
    
    *   By Solution
    *   CI/CD & Automation
    *   DevOps
    *   DevSecOps
    
    *   Case Studies
    *   Customer Stories
    *   Resources
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
    *   Repositories
    *   Topics
    *   Trending
    *   Collections
    
*   Pricing

CVE-2023-25015: Fixed CSRF vulnerability with Rails < 5.2 · ankane/clockwork_web@ec28965

An issue was discovered in Joomla! 4.0.0 through 4.2.6. A missing token check causes a CSRF vulnerability in the handling of post-installation messages.

**Security Announcements**

**\[20230101\] - Core - CSRF within post-installation messages**

*   **Project:** Joomla!
*   **SubProject:** CMS
*   **Impact:** Low
*   **Severity:** Low
*   **Probability:** Low
*   **Versions:** 4.0.0-4.2.6
*   **Exploit type:** CSRF
*   **Reported Date:** 2022-12-24
*   **Fixed Date:** 2023-01-31
*   **CVE Number:** CVE-2023-23750

**Description**

A missing token check causes a CSRF vulnerability in the handling of post-installation messages.

**Affected Installs**

Joomla! CMS versions 4.0.0-4.2.6

**Solution**

Upgrade to version 4.2.7

**Contact**

The JSST at the Joomla! Security Centre.

*   
*

CVE-2023-23750: Joomla! Developer Network

Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via embedding videos in the language component.

Zoho offers this Vulnerability Reward Program (VRP) to continuously improve the security of our products. If you believe you have discovered a potential security vulnerability in any of Zoho's products or assets, let us know immediately, and we will make every effort to get the issues addressed as quickly as possible.

Please ensure you understand the program rules before you report a vulnerability. By participating in this program, you agree to be bound by these rules. Zoho provides monetary rewards to vulnerability reporters at its discretion and the reward may vary based upon metrics including (but not limited to) vulnerability severity, impact, and exploitability.

You can share details of the suspected vulnerability with Zoho by clicking below;

Submit Bug

These Bug Bounty Terms and Conditions ("Bug Bounty Terms") govern your participation in the Zoho Bug Bounty Program ("Bug Bounty Program") and are a legally binding contract between you or the company you represent and Zoho. By submitting a vulnerability or participating in the program, you agree to be bound by the Terms.

The Bug Bounty Program enables you to submit security bugs or vulnerabilities discovered by you in eligible Zoho Services and earn rewards for your submissions. Service-specific terms of use that are applicable to specific Zoho Services ("Service-Specific Terms") shall be applicable to you in addition to the Bug Bounty Terms. In the event of a conflict between Bug Bounty Terms and Service-specific Terms, the Bug Bounty Terms shall prevail.

Participation in the Bug Bounty Program is open to all individuals unless:

*   You are below 14 years of age. If you are 14 years old or above, but you are considered a minor in your place of residence, you must obtain your parent's or legal guardian's permission prior to your participation in the Bug Bounty Program after having read the Bug Bounty Terms;
    
*   You are a resident of any US sanctioned countries;
    
*   You are currently an employee of Zoho or you were employed by Zoho within six (6) months prior to your participation in the Bug Bounty Program; or
    
*   You are a family member of a Zoho employee.
    

You will follow the rules specified hereunder, failing which your participation in the Bug Bounty Program will be immediately terminated.

*   You will make all efforts to avoid privacy violations, degradation of user experience, degradation of Zoho Services, disruptions to Zoho's infrastructure and systems, and destruction of both Zoho's and users' data in the course of your security bug research.
    
*   You will report any security bug discovered by you ("Security Bug") to Zoho and provide Zoho with reasonable time to identify and mitigate the security bug before publicly disclosing it to others.
    
*   During your security bug research, if you have any inadvertent access to Zoho's or users' information, including sensitive, personal, or any other unauthorized information ("Unauthorized Information"), you must cease your Security Bug research to prevent further access to any Unauthorized Information by you and notify Zoho of any Unauthorized Information you accessed. Upon notifying Zoho of such access, delete all Unauthorized Information from your systems or devices.
    
*   You will always use your account, or an account for which you have explicit consent from the account owner, for testing the Security Bug.
    
*   You will use any security bug discovered by you only for testing, and you will not exploit the Security Bug in any manner.
    

If you have discovered an eligible security bug as specified in the scope, you may submit the bug through the website provided to you for submission.

Your submission shall include details such as vulnerability description, clear reproduction steps, and a proof-of-concept.

Upon receipt of your submission, Zoho will review and validate the submission within three (3) days from the date of your submission and will prioritize based on the severity of the vulnerability submitted and resolve the vulnerability accordingly. Zoho will notify you once the vulnerability is resolved and you may confirm whether the remedy resolves the vulnerability. If there is more than one submission for the same vulnerability from different parties, bounty will be paid to the first submission.

Zoho will pay a reward for your eligible submissions ("Bounty"). Bounties will be determined and granted only at Zoho's discretion. You can find the reward tiers here.

Zoho will fulfill the Bounty payments through the following payment modes:

*   For Indian participants, in INR through wire transfer;
    
*   For participants from outside India, in USD through PayPal; or
    
*   As an Amazon gift card in USD.
    

You understand that you are responsible for paying the taxes associated with Bounty payments. Bounties for Indian participants will be paid only after deducting TDS of 10% (Tax Deducted at Source).

Bounties shall be claimed by you within a period of three (3) months from the date of your entitlement to the reward.

You grant Zoho non-exclusive, irrevocable, worldwide, perpetual, and royalty-free license to review, assess, and use your submission to analyze and resolve the vulnerability submitted by you and for other related purposes.

ZOHO SHALL IN NO EVENT BE LIABLE FOR ANY CONSEQUENTIAL, INCIDENTAL, INDIRECT, SPECIAL, PUNITIVE, OR OTHER LOSS OR DAMAGE WHATSOEVER OR FOR LOSS OF BUSINESS PROFITS, BUSINESS INTERRUPTION, COMPUTER FAILURE, LOSS OF BUSINESS INFORMATION, OR OTHER LOSS ARISING OUT OF THE BUG BOUNTY PROGRAM.

*   All Zoho branded products and applications listed at zoho.com
    
*   All ManageEngine branded products and applications listed at manageengine.com (except SupportCenter Plus)
    
*   Site24x7
    
*   Qntrl
    
*   TrainerCentral
    
*   Zoho Corporation owned assets
    

*   Missing any best security practice that is not a vulnerability
    
*   Self XSS
    
*   Username or email address enumeration
    
*   Email bombing
    
*   HTML injection
    
*   XSS vulnerabilities on sandbox or user-content domains
    
*   Unvalidated or open redirects or tabnabbing
    
*   Clickjacking in unauthenticated pages or in pages with no significant state-changing action
    
*   Logout or unauthenticated CSRF
    
*   Missing cookie flags on non-sensitive cookies
    
*   Missing security headers that do not lead directly to a vulnerability
    
*   Unvalidated findings from automated tools or scans
    
*   "Back" button that keeps working after logout
    
*   Issues that do not affect the latest version of modern browsers or platforms
    
*   Attacks that require physical access to a user device
    
*   Social engineering
    
*   Hosting malware/arbitrary content on Zoho and causing downloads
    
*   Use of a known-vulnerable library (without evidence of exploitability)
    
*   Low-impact descriptive error pages and information disclosures without any sensitive information
    
*   Invalid or missing SPF/DKIM/DMARC/BIMI records
    
*   Password and account policies, such as (but not limited to) reset link expiration or password complexity
    
*   Non-critical issues in blog.zoho.com or other product blogs
    
*   CSV injection
    
*   Phishing risk via Unicode/Punycode or RTLO issues
    
*   Missing rate limitations on endpoints (without any security concerns)
    
*   Presence of EXIF information in file uploads
    
*   Ability to upload/download executables
    
*   Bypassing pricing/paid feature restrictions
    
*   0-day vulnerabilities in any third parties we use within 10 days of their disclosure
    
*   Any other issues determined to be of low or negligible security impact
    
*   Issues that do not affect the latest version of applications, modern browsers, or platforms
    
*   Vulnerabilities that resulted from implementation that does not follow our deployment guidelines
    
*   Usage of known vulnerable components without actual working exploit
    
*   Our intended features or accepted risks (including but not limited to the following) are not vulnerabilities and are thus excluded from our program:
    
*   Applications running as SYSTEM user
    
*   Features to execute queries, scripts, or workflows by privileged users
    
*   Usage of UDP-based unauthenticated protocols (which can be disabled by the user)
    

Severity

Bounty in USD (Up to)

Low

$ 50

Medium

$ 200

High

$ 800

Critical

$ 3000

We would like to truly thank the people listed in the Hall of Fame for their participation in the program and for making a responsible disclosure of the vulnerabilities.

Hall Of Fame for

CVE-2023-23074: BugBounty

Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via PO in the purchase component.

CVE-2023-23073: BugBounty

Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 13 via the comment field when adding a new status comment.

CVE-2023-23077: BugBounty

Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via the comment field when changing the credentials in the Assets.

CVE-2023-23078: BugBounty

OS Command injection vulnerability in Support Center Plus 11 via Executor in Action when creating new schedules.

CVE-2023-23076: BugBounty

In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large.

Django’s development team is strongly committed to responsible reporting and disclosure of security-related issues, as outlined in Django’s security policies.

As part of that commitment, we maintain the following historical list of issues which have been fixed and disclosed. For each issue, the list below includes the date, a brief description, the CVE identifier if applicable, a list of affected versions, a link to the full disclosure and links to the appropriate patch(es).

**Issues under Django’s security process¶**

All security issues have been handled under versions of Django’s security process. These are listed below.

**June 2, 2021 - CVE-2021-33571¶**

Possible indeterminate SSRF, RFI, and LFI attacks since validators accepted leading zeros in IPv4 addresses. Full description

**February 1, 2016 - CVE-2016-2048¶**

User with “change” but not “add” permission can create objects for ModelAdmin’s with save_as=True. Full description

**Versions affected¶**

*   Django 1.9 (patch)

**February 19, 2013 - No CVE¶**

Additional hardening of Host header handling. Full description

**December 10, 2012 - No CVE 2¶**

Additional hardening of redirect validation. Full description

**December 10, 2012 - No CVE 1¶**

Additional hardening of Host header handling. Full description

**September 9, 2011 - CVE-2011-4140¶**

Potential CSRF via Host header. Full description

**Versions affected¶**

This notification was an advisory only, so no patches were issued.

*   Django 1.2
*   Django 1.3

**Issues prior to Django’s security process¶**

Some security issues were handled before Django had a formalized security process in use. For these, new releases may not have been issued at the time and CVEs may not have been assigned.

Tag

#csrf