Microsoft Vulnerability Severity Classification for Online Services (2024)

Cross Site Scripting (XSS)

Highly Confidential

Critical

XSS that can compromise user session tokens or sensitive cookies with no victim interaction or actions required

Confidential

Important

XSS that can compromise user session tokens or sensitive cookies

General

Moderate

XSS triggering on public pages that does not disclose private data or allow the compromise of an authenticated session

Public

Low

XSS requiring a victim to input the malicious code themselves

Authentication Issues

Highly Confidential

Critical

Vulnerability allowing attacker to authenticate as another highly privileged user or cross tenant without victim’s interaction

Confidential

Important

Vulnerability allowing authenticated attacker within a tenant to elevate their privilege

General

N/A

Read only access to a web directory that should be authenticated, like a directory that contains generic images for an internal only site, but no sensitive information is obtainable

Public

Improper Access Control

Highly Confidential

Critical

Missing access controls exposes sensitive data from another customer

Confidential

Important

An unprivileged user accessing data intended for privileged user

General

Server-Side Request Forgery (SSRF)

Highly Confidential

Critical

Cross tenant information disclosure or elevation of privilege after reaching internal servers

Confidential

Important

SSRF vulnerability sending requests to sensitive internal endpoints that leaks sensitive information or performs a sensitive action

General

Moderate

Blind SSRF reaching ports that should not be open

Public

Low

Blind SSRF that is only used for port scanning

Deserialization of Untrusted Data

Highly Confidential

Critical

Deserialization leading to unauthenticated cross tenant remote code execution

Confidential

Important

Deserialization leading to compromise of a system that processes data belonging to the current user

General

Moderate

Deserialization leading to Server Denial of Service

Public

Low

Deserialization triggering only an HTTP 500 error with no other impact to the system

Web Security Misconfiguration

Highly Confidential

Critical

Default admin credentials that access an important resource

Confidential

Important

URL redirect in an OAuth flow that leaks the OAuth token

General

Low

Clickjacking due to lack of the X-FRAME-OPTIONS response header or lack of frame-ancestors in a CSP

Public

Low

Missing length check on web app form leading to denial of service for the user, requiring them to refresh the page

Cross Origin Access Issues

Highly Confidential

Critical

Improper CORS (trusted origin) validation leading to disclosure of tokens with excessive permissions

Confidential

Important

Improper CORS (trusted origin) validation

General

Moderate

Access-Control-Allow-Origin header in response reflecting any value put in Origin header in the request, along with Access-Control-Allow-Credentials being set to true

Public

Low

Access-Control-Allow-Origin header in the response has been set to ‘*’ with no additional exploitation

Improper Input Validation

Highly Confidential

Critical

Tampering with request parameters affects the application’s logic and allows for cross tenant information exposure, privilege escalation

Confidential

Important

Changing a parameter’s value affects the application’s logic, resulting in an exposure of sensitive information or allows the user to perform a sensitive action

General

Moderate

Tampering with input parameters that can only cause visual cosmetic changes to the user interface

Public

Low

Modifying input parameters that make the user interface difficult to use

Microsoft Vulnerability Severity Classification for Online Services (2024)

FAQs

What is a severity rating for Microsoft? ›

The severity rating is indicated in the Microsoft security bulletin as critical, important, moderate, or low. Definition: A widely released fix for a specific problem. An update addresses a noncritical, non-security-related bug.

Read On ›

What is the Microsoft exploitability index? ›

The Microsoft Exploitability Index helps customers prioritize security update deployment by providing information on the likelihood that a vulnerability addressed in a Microsoft security update will be exploited.

Discover More Details ›

What is vulnerability severity level? ›

Severity Level: High

Vulnerabilities that score in the high range usually have some of the following characteristics: The vulnerability is difficult to exploit. Exploitation could result in elevated privileges. Exploitation could result in a significant data loss or downtime.

What Microsoft tool finds vulnerabilities? ›

Defender Vulnerability Management delivers asset visibility, intelligent assessments and prioritization, and built-in remediation tools for Windows, macOS, Linux, Android, iOS, and network devices to prioritize and address critical vulnerabilities and misconfigurations across your organization.

See Details ›

What are the severity levels in Windows? ›

Windows events severity levels

The levels in order of severity are information, verbose, warning, error and critical. Information. Most logs consist of information-based events.

Find Out More ›

What is severity grading of MS? ›

An algorithm, the Multiple Sclerosis Severity Score (MSSS), which relates scores on the Expanded Disability Status Scale (EDSS) to the distribution of disability in patients with comparable disease durations, was devised and then applied to a collection of 9,892 patients from 11 countries to create the Global MSSS.

Tell Me More ›

What is the exploitability score for a vulnerability? ›

The "Exploitability Score" is an industry standard. For a CVE, The score is generated to give a number of how likely the vulnerability will be exploited. How likely a vulnerability will be exploited is not the same as a vulnerability being actively exploited.

Show Me More ›

What is an acceptable Microsoft Secure score? ›

Although having an 80% Security Score or above is also considered secure enough based on Microsoft Standards. Having a 60% Security Score and below means you're vulnerable to security threats and need to implement industry-standard security practices to prevent hackers from getting their hands on your data.

Explore More ›

What is the six category threat classification model developed by Microsoft? ›

At each vulnerable point, determine each category of threat (spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege) that might be possible.

What are the 3 levels of severity? ›

Incident severity levels are a measurement of the impact an incident has on the business.

Severity	Description
1	A critical incident with very high impact
2	A major incident with significant impact
3	A minor incident with low impact

Show Me More ›

How do you determine severity level? ›

A common framework for incident severity levels is based on four factors: user impact, business impact, technical impact, and time to resolve. You can use these factors to assign a numerical or alphabetical level to each incident, such as Level 1 (critical), Level 2 (major), Level 3 (minor), and Level 4 (low).

Read The Full Story ›

What are the different categories of vulnerability classification? ›

Following are the classifications of vulnerabilities.

Misconfigurations or Weak Configurations. Setting up a computer network or system in an incorrect manner is a common mistake, mostly because people make errors. ...
Network Misconfigurations. ...
Host Misconfigurations. ...
Application Vulnerabilities. ...
Poor Patch Management.

Aug 1, 2024

See Details ›

What are Microsoft security measures? ›

Identity-based access controls

Our password controls enforce complexity, periodic rotation, and suspension when specified periods of user inactivity are detected. We restrict data and system access to individuals who have a genuine business need based on the principle of least privilege.

Get More Info Here ›

What security framework does Microsoft use? ›

The Microsoft Cybersecurity Reference Architectures (MCRA) are the component of Microsoft's Security Adoption Framework (SAF) that describe Microsoft's cybersecurity capabilities and technologies.

What cyber security does Microsoft use? ›

Microsoft Defender - Cybersecurity Solutions | Microsoft Security.

What is severity rating scale? ›

Severity Rating is a system used to evaluate the impact or seriousness of a particular issue or problem based on its effect on the user experience or a combination of factors.

View Details ›

What is a good severity rate? ›

If the industry average is higher than 1, then the company is performing well in terms of safety. A higher severity rate would highlight that accidents in the workplace were generally of a more severe nature, resulting in employees taking off from work for extended periods of time.

What is a good Microsoft score? ›

Above 80%: This is generally considered excellent. Organisations with scores in this range have implemented most recommended security measures and are well-protected against common threats.

Learn More ›

What is the average severity rating? ›

Average severity is the amount of loss associated with an average insurance claim. It is calculated by dividing the total amount of losses an insurance company receives by the number of claims made against policies that it underwrites.

Discover More Details ›