The correspondence between the vulnerability risk level and the CVSS basic value is as follows.
● Risk Level: High
CVSS basic value 7.0 - 10.0
IPA's level III (danger)
· Threats that a system is remote-contolled and such
· Threats that most information leaks
· Threats that most information is tampered with
· Denial-of-Service (DoS) in which all systems stops, OS command injection, SQL injection, arbitrary command execution by Buffer overflow etc.
● Risk Level: Medium
CVSS basic value 4.0 to 6.9
IPA's level II (warning)
· Threats that some information leaks
· Threats that some information is tampered with
· Threats that leads to service outages
· Cross-site scripting, Directory Traversal where some information leaks, Denial-of-Service(DoS) where some systems stops, etc.
· Others that fall under Level III but have low reproducibility
● Risk Level: Low
CVSS basic value 0.1 to 3.9
IPA's level I (attention):
· Threats that require complex conditions to attack
· Others that fall under Level II but have low reproducibility
● Risk Level: Remarks
CVSS basic value 0
There is no damage caused by the detected event alone, or there is no effective attack means at the present time.
However, it is pointed out that remodeling needs to be considered in order to make a website more secure.