{
"metadata": {
"default": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
},
"content": [
{
"id": "ai_application_security",
"children": [
{
"id": "adversarial_example_injection",
"children": [
{
"id": "ai_misclassification_attacks",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L"
}
]
},
{
"id": "ai_safety",
"children": [
{
"id": "misinformation_wrong_factual_data",
"cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N"
}
]
},
{
"id": "denial_of_service_dos",
"children": [
{
"id": "application_wide",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H"
},
{
"id": "tenant_scoped",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L"
}
]
},
{
"id": "improper_input_handling",
"children": [
{
"id": "ansi_escape_codes",
"cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L"
},
{
"id": "rtl_overrides",
"cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L"
},
{
"id": "unicode_confusables",
"cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L"
}
]
},
{
"id": "improper_output_handling",
"children": [
{
"id": "cross_site_scripting_xss",
"cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
},
{
"id": "markdown_html_injection",
"cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
}
]
},
{
"id": "insufficient_rate_limiting",
"children": [
{
"id": "query_flooding_api_token_abuse",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H"
}
]
},
{
"id": "model_extraction",
"children": [
{
"id": "api_query_based_model_reconstruction",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
}
]
},
{
"id": "prompt_injection",
"children": [
{
"id": "system_prompt_leakage",
"cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N"
}
]
},
{
"id": "remote_code_execution",
"children": [
{
"id": "full_system_compromise",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
},
{
"id": "sandboxed_container_code_execution",
"cvss_v3": "AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:H"
}
]
},
{
"id": "sensitive_information_disclosure",
"children": [
{
"id": "cross_tenant_pii_leakage_exposure",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N"
},
{
"id": "key_leak",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
}
]
},
{
"id": "training_data_poisoning",
"children": [
{
"id": "backdoor_injection_bias_manipulation",
"cvss_v3": "AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"
}
]
},
{
"id": "vector_and_embedding_weaknesses",
"children": [
{
"id": "embedding_exfiltration_model_extraction",
"cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N"
},
{
"id": "semantic_indexing",
"cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
}
]
}
]
},
{
"id": "algorithmic_biases",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
},
{
"id": "application_level_denial_of_service_dos",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
"children": [
{
"id": "critical_impact_and_or_easy_difficulty",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
{
"id": "excessive_resource_consumption",
"children": [
{
"id": "injection_prompt",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
}
],
"cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H"
},
{
"id": "high_impact_and_or_medium_difficulty",
"cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
]
},
{
"id": "automotive_security_misconfiguration",
"children": [
{
"id": "abs",
"children": [
{
"id": "unintended_acceleration_brake",
"cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
}
]
},
{
"id": "battery_management_system",
"children": [
{
"id": "firmware_dump",
"cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"
},
{
"id": "fraudulent_interface",
"cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H"
}
]
},
{
"id": "can",
"children": [
{
"id": "injection_basic_safety_message",
"cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
},
{
"id": "injection_battery_management_system",
"cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
},
{
"id": "injection_disallowed_messages",
"cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
{
"id": "injection_dos",
"cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
{
"id": "injection_headlights",
"cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
},
{
"id": "injection_powertrain",
"cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
},
{
"id": "injection_pyrotechnical_device_deployment_tool",
"cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
},
{
"id": "injection_sensors",
"cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
},
{
"id": "injection_steering_control",
"cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
},
{
"id": "injection_vehicle_anti_theft_systems",
"cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
}
]
},
{
"id": "gnss_gps",
"children": [
{
"id": "spoofing",
"cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
}
]
},
{
"id": "immobilizer",
"children": [
{
"id": "engine_start",
"cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
}
]
},
{
"id": "infotainment_radio_head_unit",
"children": [
{
"id": "code_execution_can_bus_pivot",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
},
{
"id": "code_execution_no_can_bus_pivot",
"cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L"
},
{
"id": "default_credentials",
"cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
},
{
"id": "dos_brick",
"cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
{
"id": "ota_firmware_manipulation",
"cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
{
"id": "sensitive_data_leakage_exposure",
"cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"
},
{
"id": "source_code_dump",
"cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"
},
{
"id": "unauthorized_access_to_services",
"cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L"
}
]
},
{
"id": "rf_hub",
"children": [
{
"id": "can_injection_interaction",
"cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
},
{
"id": "data_leakage_pull_encryption_mechanism",
"cvss_v3": "AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"
},
{
"id": "key_fob_cloning",
"cvss_v3": "AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"
},
{
"id": "relay",
"cvss_v3": "AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"
},
{
"id": "replay",
"cvss_v3": "AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"
},
{
"id": "roll_jam",
"cvss_v3": "AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"
},
{
"id": "unauthorized_access_turn_on",
"cvss_v3": "AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L"
}
]
},
{
"id": "rsu",
"children": [
{
"id": "sybil_attack",
"cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
}
]
}
]
},
{
"id": "blockchain_infrastructure_misconfiguration",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
},
{
"id": "broken_access_control",
"children": [
{
"id": "bypass_of_password_confirmation",
"cvss_v3": "AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N"
},
{
"id": "exposed_sensitive_android_intent",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
},
{
"id": "exposed_sensitive_ios_url_scheme",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
},
{
"id": "privilege_escalation",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
},
{
"id": "username_enumeration",
"cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
}
],
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
},
{
"id": "broken_authentication_and_session_management",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
"children": [
{
"id": "authentication_bypass",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
},
{
"id": "cleartext_transmission_of_session_token",
"cvss_v3": "AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
},
{
"id": "concurrent_logins",
"cvss_v3": "AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:N"
},
{
"id": "failure_to_invalidate_session",
"children": [
{
"id": "all_sessions",
"cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N"
},
{
"id": "long_timeout",
"cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N"
},
{
"id": "on_email_change",
"cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N"
},
{
"id": "on_logout",
"cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N"
},
{
"id": "on_logout_server_side_only",
"cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N"
},
{
"id": "on_password_change",
"cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N"
},
{
"id": "on_two_fa_activation_change",
"cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N"
}
]
},
{
"id": "saml_replay",
"cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H"
},
{
"id": "session_fixation",
"children": [
{
"id": "local_attack_vector",
"cvss_v3": "AV:P/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N"
},
{
"id": "remote_attack_vector",
"cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N"
}
]
},
{
"id": "two_fa_bypass",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
},
{
"id": "weak_login_function",
"children": [
{
"id": "other_plaintext_protocol_no_secure_alternative",
"cvss_v3": "AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
},
{
"id": "over_http",
"cvss_v3": "AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"
}
]
},
{
"id": "weak_registration_implementation",
"cvss_v3": "AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"
}
]
},
{
"id": "client_side_injection",
"children": [
{
"id": "binary_planting",
"children": [
{
"id": "no_privilege_escalation",
"cvss_v3": "AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:N"
},
{
"id": "non_default_folder_privilege_escalation",
"cvss_v3": "AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N"
},
{
"id": "privilege_escalation",
"cvss_v3": "AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
}
]
}
]
},
{
"id": "cloud_security",
"children": [
{
"id": "identity_and_access_management_iam_misconfigurations",
"children": [
{
"id": "overly_permissive_iam_roles",
"cvss_v3": "AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"
},
{
"id": "publicly_accessible_iam_credentials",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
}
]
},
{
"id": "logging_and_monitoring_issues",
"children": [
{
"id": "disabled_or_insufficient_logging",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
}
]
},
{
"id": "misconfigured_services_and_apis",
"children": [
{
"id": "exposed_debug_or_admin_interfaces",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
},
{
"id": "insecure_api_endpoints",
"cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
}
]
},
{
"id": "network_configuration_issues",
"children": [
{
"id": "lack_of_network_segmentation",
"cvss_v3": "AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L"
},
{
"id": "open_management_ports_to_the_internet",
"cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"
}
]
},
{
"id": "storage_misconfigurations",
"children": [
{
"id": "publicly_accessible_cloud_storage",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
},
{
"id": "unencrypted_sensitive_data_at_rest",
"cvss_v3": "AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
}
]
}
]
},
{
"id": "cross_site_request_forgery_csrf",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
"children": [
{
"id": "action_specific",
"children": [
{
"id": "logout",
"cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N"
}
]
},
{
"id": "application_wide",
"cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L"
},
{
"id": "csrf_token_not_unique_per_request",
"cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"
},
{
"id": "flash_based",
"cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"
}
]
},
{
"id": "cross_site_scripting_xss",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
"children": [
{
"id": "cookie_based",
"cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:N"
},
{
"id": "flash_based",
"cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:N"
},
{
"id": "ie_only",
"cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"
},
{
"id": "off_domain",
"cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"
},
{
"id": "referer",
"cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"
},
{
"id": "reflected",
"children": [
{
"id": "non_self",
"cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
}
]
},
{
"id": "stored",
"children": [
{
"id": "non_admin_to_anyone",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N"
},
{
"id": "privileged_user_to_no_privilege_elevation",
"cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N"
},
{
"id": "privileged_user_to_privilege_elevation",
"cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N"
},
{
"id": "url_based",
"cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
}
]
},
{
"id": "universal_uxss",
"cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"
}
]
},
{
"id": "cryptographic_weakness",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
"children": [
{
"id": "broken_cryptography",
"children": [
{
"id": "use_of_broken_cryptographic_primitive",
"cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
},
{
"id": "use_of_vulnerable_cryptographic_library",
"cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N"
}
]
},
{
"id": "incomplete_cleanup_of_keying_material",
"cvss_v3": "AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L"
},
{
"id": "insecure_key_generation",
"children": [
{
"id": "insufficient_key_space",
"cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
},
{
"id": "key_exchange_without_entity_authentication",
"cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N"
}
]
},
{
"id": "insufficient_entropy",
"children": [
{
"id": "initialization_vector_reuse",
"cvss_v3": "AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"
},
{
"id": "limited_rng_entropy_source",
"cvss_v3": "AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"
},
{
"id": "predictable_initialization_vector",
"cvss_v3": "AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"
},
{
"id": "predictable_prng_seed",
"cvss_v3": "AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"
},
{
"id": "prng_seed_reuse",
"cvss_v3": "AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"
},
{
"id": "small_seed_space_in_prng",
"cvss_v3": "AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"
},
{
"id": "use_of_trng_for_nonsecurity_purpose",
"cvss_v3": "AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"
}
]
},
{
"id": "insufficient_verification_of_data_authenticity",
"children": [
{
"id": "identity_check_value",
"cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N"
}
]
},
{
"id": "key_reuse",
"children": [
{
"id": "inter_environment",
"cvss_v3": "AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H"
},
{
"id": "intra_environment",
"cvss_v3": "AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"
},
{
"id": "lack_of_perfect_forward_secrecy",
"cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
}
]
},
{
"id": "side_channel_attack",
"children": [
{
"id": "emanations_attack",
"cvss_v3": "AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
},
{
"id": "padding_oracle_attack",
"cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
},
{
"id": "power_analysis_attack",
"cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
},
{
"id": "timing_attack",
"cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
}
]
},
{
"id": "use_of_expired_cryptographic_key_or_cert",
"cvss_v3": "AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L"
},
{
"id": "weak_hash",
"children": [
{
"id": "use_of_predictable_salt",
"cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N"
}
]
}
]
},
{
"id": "data_biases",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
},
{
"id": "decentralized_application_misconfiguration",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
},
{
"id": "developer_biases",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
},
{
"id": "external_behavior",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
},
{
"id": "indicators_of_compromise",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
},
{
"id": "insecure_data_storage",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
"children": [
{
"id": "sensitive_application_data_stored_unencrypted",
"children": [
{
"id": "on_external_storage",
"cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
}
]
},
{
"id": "server_side_credentials_storage",
"children": [
{
"id": "plaintext",
"cvss_v3": "AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:N"
}
]
}
]
},
{
"id": "insecure_data_transport",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
"children": [
{
"id": "executable_download",
"children": [
{
"id": "no_secure_integrity_check",
"cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N"
},
{
"id": "secure_integrity_check",
"cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:N"
}
]
}
]
},
{
"id": "insecure_os_firmware",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
"children": [
{
"id": "command_injection",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
},
{
"id": "data_not_encrypted_at_rest",
"children": [
{
"id": "non_sensitive",
"cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
}
]
},
{
"id": "hardcoded_password",
"children": [
{
"id": "non_privileged_user",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
},
{
"id": "privileged_user",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
}
]
},
{
"id": "local_administrator_on_default_environment",
"cvss_v3": "AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
},
{
"id": "over_permissioned_credentials_on_storage",
"cvss_v3": "AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
},
{
"id": "shared_credentials_on_storage",
"cvss_v3": "AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
},
{
"id": "weakness_in_firmware_updates",
"children": [
{
"id": "firmware_does_not_validate_update_integrity",
"cvss_v3": "AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H"
},
{
"id": "firmware_is_not_encrypted",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
}
]
}
]
},
{
"id": "insufficient_security_configurability",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
"children": [
{
"id": "no_password_policy",
"cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"
},
{
"id": "weak_password_reset_implementation",
"children": [
{
"id": "token_is_not_invalidated_after_use",
"cvss_v3": "AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"
}
]
},
{
"id": "weak_two_fa_implementation",
"children": [
{
"id": "two_fa_secret_cannot_be_rotated",
"cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
},
{
"id": "two_fa_secret_remains_obtainable_after_two_fa_is_enabled",
"cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
}
]
}
]
},
{
"id": "lack_of_binary_hardening",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
},
{
"id": "misinterpretation_biases",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
},
{
"id": "mobile_security_misconfiguration",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
"children": [
{
"id": "auto_backup_allowed_by_default",
"cvss_v3": "AV:P/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"
},
{
"id": "clipboard_enabled",
"cvss_v3": "AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N"
}
]
},
{
"id": "network_security_misconfiguration",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
},
{
"id": "physical_security_issues",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
"children": [
{
"id": "weakness_in_physical_access_control",
"children": [
{
"id": "commonly_keyed_system",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N"
}
]
}
]
},
{
"id": "privacy_concerns",
"children": [
{
"id": "unnecessary_data_collection",
"children": [
{
"id": "wifi_ssid_password",
"cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
}
]
}
]
},
{
"id": "protocol_specific_misconfiguration",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
},
{
"id": "sensitive_data_exposure",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
"children": [
{
"id": "disclosure_of_secrets",
"children": [
{
"id": "for_internal_asset",
"cvss_v3": "AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L"
},
{
"id": "for_publicly_accessible_asset",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
},
{
"id": "pay_per_use_abuse",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
}
]
},
{
"id": "exif_geolocation_data_not_stripped_from_uploaded_images",
"children": [
{
"id": "automatic_user_enumeration",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
},
{
"id": "manual_user_enumeration",
"cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
}
]
},
{
"id": "graphql_introspection_enabled",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
},
{
"id": "json_hijacking",
"cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N"
},
{
"id": "mixed_content",
"cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:N"
},
{
"id": "non_sensitive_token_in_url",
"cvss_v3": "AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
},
{
"id": "sensitive_token_in_url",
"cvss_v3": "AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
},
{
"id": "token_leakage_via_referer",
"children": [
{
"id": "over_http",
"cvss_v3": "AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N"
},
{
"id": "password_reset_token",
"cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
},
{
"id": "trusted_third_party",
"cvss_v3": "AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:N"
},
{
"id": "untrusted_third_party",
"cvss_v3": "AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N"
}
]
},
{
"id": "via_localstorage_sessionstorage",
"children": [
{
"id": "non_sensitive_token",
"cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N"
},
{
"id": "sensitive_token",
"cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
}
]
},
{
"id": "visible_detailed_error_page",
"children": [
{
"id": "detailed_server_configuration",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
}
]
},
{
"id": "weak_password_reset_implementation",
"children": [
{
"id": "token_leakage_via_host_header_poisoning",
"cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L"
}
],
"cvss_v3": "AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N"
}
]
},
{
"id": "server_security_misconfiguration",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
"children": [
{
"id": "bitsquatting",
"cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
},
{
"id": "captcha",
"children": [
{
"id": "brute_force",
"cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N"
},
{
"id": "implementation_vulnerability",
"cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
}
]
},
{
"id": "clickjacking",
"children": [
{
"id": "form_input",
"cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N"
},
{
"id": "non_sensitive_action",
"cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N"
},
{
"id": "sensitive_action",
"cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
}
]
},
{
"id": "dbms_misconfiguration",
"children": [
{
"id": "excessively_privileged_user_dba",
"cvss_v3": "AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N"
}
]
},
{
"id": "email_verification_bypass",
"cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"
},
{
"id": "exposed_portal",
"children": [
{
"id": "admin_portal",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
{
"id": "non_admin_portal",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
},
{
"id": "protected",
"cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N"
}
]
},
{
"id": "insecure_ssl",
"cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N"
},
{
"id": "lack_of_password_confirmation",
"children": [
{
"id": "manage_two_fa",
"cvss_v3": "AV:P/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L"
}
],
"cvss_v3": "AV:P/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L"
},
{
"id": "lack_of_security_headers",
"children": [
{
"id": "cache_control_for_a_sensitive_page",
"cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
}
],
"cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N"
},
{
"id": "mail_server_misconfiguration",
"children": [
{
"id": "email_spoofing_to_inbox_due_to_missing_or_misconfigured_dmarc_on_email_domain",
"cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N"
},
{
"id": "no_spoofing_protection_on_email_domain",
"cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
}
]
},
{
"id": "misconfigured_dns",
"children": [
{
"id": "missing_caa_record",
"cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N"
},
{
"id": "subdomain_takeover",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
},
{
"id": "zone_transfer",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
}
]
},
{
"id": "missing_dnssec",
"cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N"
},
{
"id": "missing_secure_or_httponly_cookie_flag",
"children": [
{
"id": "session_token",
"cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
}
]
},
{
"id": "missing_subresource_integrity",
"cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N"
},
{
"id": "no_rate_limiting_on_form",
"children": [
{
"id": "change_password",
"cvss_v3": "AV:P/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L"
},
{
"id": "login",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
}
],
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N"
},
{
"id": "oauth_misconfiguration",
"children": [
{
"id": "account_squatting",
"cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N"
},
{
"id": "account_takeover",
"cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
},
{
"id": "insecure_redirect_uri",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
},
{
"id": "missing_state_parameter",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
}
],
"cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
},
{
"id": "rfd",
"cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N"
},
{
"id": "same_site_scripting",
"cvss_v3": "AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N"
},
{
"id": "server_side_request_forgery_ssrf",
"children": [
{
"id": "external_dns_query_only",
"cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L"
},
{
"id": "external_low_impact",
"cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L"
},
{
"id": "internal_high_impact",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"
},
{
"id": "internal_scan_and_or_medium_impact",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N"
}
]
},
{
"id": "unsafe_file_upload",
"children": [
{
"id": "no_antivirus",
"cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N"
},
{
"id": "no_size_limit",
"cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
}
]
},
{
"id": "using_default_credentials",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
},
{
"id": "waf_bypass",
"children": [
{
"id": "direct_server_access",
"cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
}
]
}
]
},
{
"id": "server_side_injection",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
"children": [
{
"id": "content_spoofing",
"children": [
{
"id": "email_html_injection",
"cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N"
},
{
"id": "external_authentication_injection",
"cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N"
},
{
"id": "html_content_injection",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
},
{
"id": "iframe_injection",
"cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"
},
{
"id": "impersonation_via_broken_link_hijacking",
"cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
}
],
"cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"
},
{
"id": "file_inclusion",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"
},
{
"id": "http_response_manipulation",
"cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
},
{
"id": "remote_code_execution_rce",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
{
"id": "sql_injection",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"
},
{
"id": "ssti",
"children": [
{
"id": "basic",
"cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
}
]
},
{
"id": "xml_external_entity_injection_xxe",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"
}
]
},
{
"id": "smart_contract_misconfiguration",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
},
{
"id": "societal_biases",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
},
{
"id": "unvalidated_redirects_and_forwards",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
"children": [
{
"id": "open_redirect",
"children": [
{
"id": "get_based",
"cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
}
]
}
]
},
{
"id": "using_components_with_known_vulnerabilities",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
"children": [
{
"id": "rosetta_flash",
"cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"
}
]
},
{
"id": "zero_knowledge_security_misconfiguration",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
}
]
}