CINXE.COM

CVSS v3.1 Calculator Use & Design

<!doctype html><html lang="en" class="web tlp-clear" data-studio-config="eyJ4aHJDcmVkZW50aWFscyI6ZmFsc2UsInhockhlYWRlcnMiOnt9fQo="><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><title>CVSS v3.1 Calculator Use & Design</title> <meta property="og:title" content="CVSS v3.1 Calculator Use &amp; Design" /> <meta property="og:type" content="website" /> <meta property="og:image" content="https://www.first.org/cvss/identity/cvssv4.png" /> <meta property="og:url" content="https://www.first.org/cvss/v3.1/use-design" /> <meta property="og:site_name" content="FIRST — Forum of Incident Response and Security Teams" /> <meta property="fb:profile_id" content="296983660669109" /> <meta property="twitter:card" content="summary_large_image" /> <meta property="twitter:site" content="@FIRSTdotOrg" /> <meta property="twitter:image" content="https://www.first.org/cvss/identity/cvssv4.png" /><meta name="viewport" content="initial-scale=1,maximum-scale=1.0,user-scalable=no" /><link rel="icon" type="image/png" href="/1st.png" /><link rel="apple-touch-icon" sizes="128x128" href="/favicon.png" /><link rel="stylesheet" type="text/css" href="/_/web.css?20241031194005" /></head><body><header><div id="header" data-studio="CU52CV1W8g"><div id="c3" data-studio="Yu8FjCC11g"><div id="topbar"> <div class="sites right"> <ul> <li><a href="https://support.first.org" class="kb-datalist"><img src="/_/img/icon-portal_support.svg" alt="FIRST Support" title="FIRST Support" /></a></li> <li><a href="https://portal.first.org" class="button"><span class="no-tiny">Member </span>Portal</a></li> </ul> </div> <div class="first-logo"> <p><a href="/"><img src="/_/img/first-org-simple-negative.svg" alt="FIRST.Org" title="FIRST" /></a></p> </div> <div class="nav"> <ul class="navbar"><li><a href="/about">About FIRST</a><ul><li><a href="/about/mission">Mission Statement</a></li><li><a href="/about/history">History</a></li><li><a href="/about/sdg">Sustainable Development Goals</a></li><li><a href="/about/organization">Organization</a><ul><li><a href="/about/organization/directors">Board of Directors</a></li><li><a>Operations Team</a><ul><li><a href="/about/organization/ccb">Community &amp; Capacity Building</a></li><li><a href="/about/organization/events">Event Office</a></li><li><a href="/about/organization/executive-director">Executive Director</a></li><li><a href="/about/organization/infrastructure">Infrastructure</a></li><li><a href="/about/organization/secretariat">Secretariat</a></li></ul></li><li><a href="/about/organization/committees">Committees</a><ul><li><a href="/about/organization/committees/compensation-committee">Compensation Committee</a></li><li><a href="/about/organization/committees/conference-program-committee">Conference Program Committee</a></li><li><a href="/about/organization/committees/membership-committee">Membership Committee</a></li><li><a href="/about/organization/committees/rules-committee">Rules Committee</a></li><li><a href="/about/organization/committees/standards">Standards Committee</a></li></ul></li><li><a href="/events/agm">Annual General Meeting</a></li><li><a href="/about/organization/reports">Annual Reports and Tax Filings</a></li></ul></li><li><a href="/about/policies">FIRST Policies</a><ul><li><a href="/about/policies/anti-corruption">Anti-Corruption Policy</a></li><li><a href="/about/policies/antitrust">Antitrust Policy</a></li><li><a href="/about/policies/bylaws">Bylaws</a></li><li><a href="/about/policies/board-duties">Board duties</a></li><li><a href="/about/bugs">Bug Bounty Program</a></li><li><a href="/about/policies/code-of-conduct">Code of Conduct</a></li><li><a href="/about/policies/conflict-policy">Conflict of Interest Policy</a></li><li><a href="/about/policies/doc-rec-retention-policy">Document Record Retention and Destruction Policy</a></li><li><a href="/newsroom/policy">FIRST Press Policy</a></li><li><a href="/about/policies/gen-event-reg-refund-policy">General Event Registration Refund Policy</a></li><li><a href="/about/policies/event-site-selection">Guidelines for Site Selection for all FIRST events</a></li><li><a href="/identity">Identity &amp; Logo Usage</a></li><li><a href="/about/policies/mailing-list">Mailing List Policy</a></li><li><a href="/about/policies/media">Media Policy</a></li><li><a href="/about/policies/privacy">Privacy Policy</a></li><li><a href="/about/policies/registration-terms-conditions">Registration Terms &amp; Conditions</a></li><li><a href="/about/policies/terms">Services Terms of Use</a></li><li><a href="/about/policies/standards">Standards Policy</a></li><li><a href="/about/policies/diversity">Statement on Diversity &amp; Inclusion</a></li><li><a href="/about/policies/translation-policy">Translation Policy</a></li><li><a href="/about/policies/travel-policy">Travel Policy</a></li><li><a href="/about/policies/uniform-ipr">Uniform IPR Policy</a></li><li><a href="/about/policies/whistleblower-policy">Whistleblower Protection Policy</a></li></ul></li><li><a href="/about/partners">Partnerships</a><ul><li><a href="/global/partners">Partners</a></li><li><a href="/global/friends">Friends of FIRST</a></li><li><a href="/global/supporters/">FIRST Supporters</a></li><li><a href="/about/sponsors">Sponsors</a></li></ul></li><li><a href="/newsroom">Newsroom</a><ul><li><a href="/newsroom/news">What&#039;s New</a></li><li><a href="/newsroom/releases">Press Releases</a></li><li><a href="/newsroom/news/media">In the News</a></li><li><a href="/podcasts">Podcasts</a><ul><li><a href="/newsroom/news/first-impressions/">FIRST Impressions Podcast</a></li><li><a href="/newsroom/news/podcasts/">FIRSTCON Podcast</a></li></ul></li><li><a href="/newsroom/newsletters">Newsletters</a></li><li><a href="/newsroom/policy">FIRST Press Policy</a></li></ul></li><li><a href="/about/procurement">Procurement</a></li><li><a href="/about/jobs/">Jobs</a></li><li><a href="/contact">Contact</a></li></ul></li><li><a href="/members">Membership</a><ul><li><a href="/membership/">Becoming a Member</a><ul><li><a href="/membership/process">Membership Process for Teams</a></li><li><a href="/membership/process-liaisons">Membership Process for Liaisons</a></li><li><a href="/membership/#Fees">Membership Fees</a></li></ul></li><li><a href="/members/teams">FIRST Teams</a></li><li><a href="/members/liaisons">FIRST Liaisons</a></li><li><a href="/members/map">Members around the world</a></li></ul></li><li><a href="/global">Initiatives</a><ul><li><a href="/global/sigs">Special Interest Groups (SIGs)</a><ul><li><a href="/global/sigs/framework">SIGs Framework</a></li><li><a href="/global/sigs/academicsec" class="borderb">Academic Security SIG</a></li><li><a href="/global/sigs/ai-security">AI Security SIG</a></li><li><a href="/global/sigs/automation">Automation SIG</a></li><li><a href="/global/sigs/bigdata">Big Data SIG</a></li><li><a href="/cvss">Common Vulnerability Scoring System (CVSS-SIG)</a><ul><li><a href="/cvss/calculator/4.0">Calculator</a></li><li><a href="/cvss/v4.0/specification-document">Specification Document</a></li><li><a href="/cvss/v4.0/user-guide">User Guide</a></li><li><a href="/cvss/v4.0/examples">Examples</a></li><li><a href="/cvss/v4.0/faq">Frequently Asked Questions</a></li><li><a href="/cvss/v4-0">CVSS v4.0 Documentation &amp; Resources</a><ul><li><a href="/cvss/calculator/4.0">CVSS v4.0 Calculator</a></li><li><a href="/cvss/v4.0/specification-document">CVSS v4.0 Specification Document</a></li><li><a href="/cvss/v4.0/user-guide">CVSS v4.0 User Guide</a></li><li><a href="/cvss/v4.0/examples">CVSS v4.0 Examples</a></li><li><a href="/cvss/v4.0/faq">CVSS v4.0 FAQ</a></li></ul></li><li><a href="/cvss/v3-1">CVSS v3.1 Archive</a><ul><li><a href="/cvss/calculator/3.1">CVSS v3.1 Calculator</a></li><li><a href="/cvss/v3.1/specification-document">CVSS v3.1 Specification Document</a></li><li><a href="/cvss/v3.1/user-guide">CVSS v3.1 User Guide</a></li><li><a href="/cvss/v3.1/examples">CVSS v3.1 Examples</a></li><li><a href="/cvss/v3.1/use-design">CVSS v3.1 Calculator Use &amp; Design</a></li></ul></li><li><a href="/cvss/v3-0">CVSS v3.0 Archive</a><ul><li><a href="/cvss/calculator/3.0">CVSS v3.0 Calculator</a></li><li><a href="/cvss/v3.0/specification-document">CVSS v3.0 Specification Document</a></li><li><a href="/cvss/v3.0/user-guide">CVSS v3.0 User Guide</a></li><li><a href="/cvss/v3.0/examples">CVSS v3.0 Examples</a></li><li><a href="/cvss/v3.0/use-design">CVSS v3.0 Calculator Use &amp; Design</a></li></ul></li><li><a href="/cvss/v2">CVSS v2 Archive</a><ul><li><a href="/cvss/v2/guide">CVSS v2 Complete Documentation</a></li><li><a href="/cvss/v2/history">CVSS v2 History</a></li><li><a href="/cvss/v2/team">CVSS-SIG team</a></li><li><a href="/cvss/v2/meetings">SIG Meetings</a></li><li><a href="/cvss/v2/faq">Frequently Asked Questions</a></li><li><a href="/cvss/v2/adopters">CVSS Adopters</a></li><li><a href="/cvss/v2/links">CVSS Links</a></li></ul></li><li><a href="/cvss/v1">CVSS v1 Archive</a><ul><li><a href="/cvss/v1/intro">Introduction to CVSS</a></li><li><a href="/cvss/v1/faq">Frequently Asked Questions</a></li><li><a href="/cvss/v1/guide">Complete CVSS v1 Guide</a></li></ul></li><li><a href="/cvss/data-representations">JSON &amp; XML Data Representations</a></li><li><a href="/cvss/training">CVSS On-Line Training Course</a></li><li><a href="/cvss/identity">Identity &amp; logo usage</a></li></ul></li><li><a href="/global/sigs/csirt">CSIRT Framework Development SIG</a></li><li><a href="/global/sigs/cyberinsurance">Cyber Insurance SIG</a><ul><li><a href="/global/sigs/cyberinsurance/events">Cyber Insurance SIG Webinars</a></li></ul></li><li><a href="/global/sigs/cti">Cyber Threat Intelligence SIG</a><ul><li><a href="/global/sigs/cti/curriculum/">Curriculum</a><ul><li><a href="/global/sigs/cti/curriculum/introduction">Introduction</a></li><li><a href="/global/sigs/cti/curriculum/cti-introduction">Introduction to CTI as a General topic</a></li><li><a href="/global/sigs/cti/curriculum/methods-methodology">Methods and Methodology</a></li><li><a href="/global/sigs/cti/curriculum/pir">Priority Intelligence Requirement (PIR)</a></li><li><a href="/global/sigs/cti/curriculum/source-evaluation">Source Evaluation and Information Reliability</a></li><li><a href="/global/sigs/cti/curriculum/machine-human">Machine and Human Analysis Techniques (and Intelligence Cycle)</a></li><li><a href="/global/sigs/cti/curriculum/threat-modelling">Threat Modelling</a></li><li><a href="/global/sigs/cti/curriculum/training">Training</a></li><li><a href="/global/sigs/cti/curriculum/standards">Standards</a></li><li><a href="/global/sigs/cti/curriculum/glossary">Glossary</a></li><li><a href="/global/sigs/cti/curriculum/cti-reporting/">Communicating Uncertainties in CTI Reporting</a></li></ul></li><li><a href="/global/sigs/cti/events/">Webinars and Online Training</a></li><li><a href="/global/sigs/cti/cti-program">Building a CTI program and team</a><ul><li><a href="/global/sigs/cti/cti-program/program-stages">Program maturity stages</a><ul><li><a href="/global/sigs/cti/cti-program/stage1">CTI Maturity model - Stage 1</a></li><li><a href="/global/sigs/cti/cti-program/stage2">CTI Maturity model - Stage 2</a></li><li><a href="/global/sigs/cti/cti-program/stage3">CTI Maturity model - Stage 3</a></li></ul></li><li><a href="/global/sigs/cti/cti-program/starter-kit">Program Starter Kit</a></li><li><a href="/global/sigs/cti/cti-program/resources">Resources and supporting materials</a></li></ul></li></ul></li><li><a href="/global/sigs/digital-safety">Digital Safety SIG</a></li><li><a href="/global/sigs/dns">DNS Abuse SIG</a><ul><li><a href="/global/sigs/dns/policies">Code of Conduct &amp; Other Policies</a></li><li><a href="/global/sigs/dns/dns-abuse-examples">Examples of DNS Abuse</a></li></ul></li><li><a href="/global/sigs/ethics">Ethics SIG</a><ul><li><a href="/global/sigs/ethics/ethics-first">Ethics for Incident Response Teams</a></li></ul></li><li><a href="/epss/">Exploit Prediction Scoring System (EPSS)</a><ul><li><a href="/epss/model">The EPSS Model</a></li><li><a href="/epss/data_stats">Data and Statistics</a></li><li><a href="/epss/user-guide">User Guide</a></li><li><a href="/epss/research">EPSS Research and Presentations</a></li><li><a href="/epss/faq">Frequently Asked Questions</a></li><li><a href="/epss/who_is_using">Who is using EPSS?</a></li><li><a href="/epss/epss_tools">Open-source EPSS Tools</a></li><li><a href="/epss/api">API</a></li><li><a href="/epss/papers">Related Exploit Research</a></li><li><a>Blog</a><ul><li><a href="/epss/articles/prob_percentile_bins">Understanding EPSS Probabilities and Percentiles</a></li><li><a href="/epss/articles/log4shell">Log4Shell Use Case</a></li><li><a href="/epss/articles/estimating_old_cvss">Estimating CVSS v3 Scores for 100,000 Older Vulnerabilities</a></li></ul></li><li><a href="/epss/partners">Data Partners</a></li></ul></li><li><a href="/global/sigs/msr/">FIRST Multi-Stakeholder Ransomware SIG</a></li><li><a href="/global/sigs/hfs/">Human Factors in Security SIG</a></li><li><a href="/global/sigs/ics">Industrial Control Systems SIG (ICS-SIG)</a></li><li><a href="/global/sigs/iep">Information Exchange Policy SIG (IEP-SIG)</a></li><li><a href="/global/sigs/information-sharing">Information Sharing SIG</a><ul><li><a href="/global/sigs/information-sharing/misp">Malware Information Sharing Platform</a></li></ul></li><li><a href="/global/sigs/le">Law Enforcement SIG</a></li><li><a href="/global/sigs/malware">Malware Analysis SIG</a><ul><li><a href="/global/sigs/malware/ma-framework">Malware Analysis Framework</a></li><li><a href="/global/sigs/malware/ma-framework/malwaretools">Malware Analysis Tools</a></li></ul></li><li><a href="/global/sigs/metrics">Metrics SIG</a><ul><li><a href="/global/sigs/metrics/events">Metrics SIG Webinars</a></li></ul></li><li><a href="/global/sigs/netsec/">NETSEC SIG</a></li><li><a href="/global/sigs/passive-dns">Passive DNS Exchange</a></li><li><a href="/global/sigs/policy">Policy SIG</a></li><li><a href="/global/sigs/psirt">PSIRT SIG</a></li><li><a href="/global/sigs/red-team">Red Team SIG</a></li><li><a href="/global/sigs/cpg">Retail and Consumer Packaged Goods (CPG) SIG</a></li><li><a href="/global/sigs/ctf">Security Lounge SIG</a></li><li><a href="/global/sigs/tic/">Threat Intel Coalition SIG</a><ul><li><a href="/global/sigs/tic/membership-rules">Membership Requirements and Veto Rules</a></li></ul></li><li><a href="/global/sigs/tlp">Traffic Light Protocol (TLP-SIG)</a></li><li><a href="/global/sigs/transport">Transportation and Mobility SIG</a></li><li><a href="/global/sigs/vulnerability-coordination">Vulnerability Coordination</a><ul><li><a href="/global/sigs/vulnerability-coordination/multiparty">Multi-Party Vulnerability Coordination and Disclosure</a></li><li><a href="/global/sigs/vulnerability-coordination/multiparty/guidelines">Guidelines and Practices for Multi-Party Vulnerability Coordination and Disclosure</a></li></ul></li><li><a href="/global/sigs/vrdx">Vulnerability Reporting and Data eXchange SIG (VRDX-SIG)</a><ul><li><a href="/global/sigs/vrdx/vdb-catalog">Vulnerability Database Catalog</a></li></ul></li><li><a href="/global/sigs/wof">Women of FIRST</a></li></ul></li><li><a href="/global/governance">Internet Governance</a></li><li><a href="/global/irt-database">IR Database</a></li><li><a href="/global/fellowship">Fellowship Program</a><ul><li><a href="https://portal.first.org/fellowship">Application Form</a></li></ul></li><li><a href="/global/mentorship">Mentorship Program</a></li><li><a href="/hof">IR Hall of Fame</a><ul><li><a href="/hof/inductees">Hall of Fame Inductees</a></li></ul></li><li><a href="/global/victim-notification">Victim Notification</a></li><li><a href="/volunteers/">Volunteers at FIRST</a><ul><li><a href="/volunteers/list">FIRST Volunteers</a></li><li><a href="/volunteers/participation">Volunteer Contribution Record</a></li></ul></li><li><a href="#new">Previous Activities</a><ul><li><a href="/global/practices">Best Practices Contest</a></li></ul></li></ul></li><li><a href="/standards">Standards &amp; Publications</a><ul><li><a href="/standards">Standards</a><ul><li><a href="/cvss">Common Vulnerability Scoring System (CVSS-SIG)</a></li><li><a href="/tlp">Traffic Light Protocol (TLP)</a><ul><li><a href="/tlp/use-cases">TLP Use Cases</a></li></ul></li><li><a href="/standards/frameworks/">Service Frameworks</a><ul><li><a href="/standards/frameworks/csirts">CSIRT Services Framework</a></li><li><a href="/standards/frameworks/psirts">PSIRT Services Framework</a></li></ul></li><li><a href="/iep">Information Exchange Policy (IEP)</a><ul><li><a href="/iep/iep_framework_2_0">IEP 2.0 Framework</a></li><li><a href="/iep/iep-json-2_0">IEP 2.0 JSON Specification</a></li><li><a href="/iep/iep-polices">Standard IEP Policies</a><ul><li><a href="https://www.first.org/iep/2.0/first-tlp-iep.iepj">IEP TLP Policy File</a></li><li><a href="https://www.first.org/iep/2.0/first-unknown-iep.iepj">IEP Unknown Policy File</a></li></ul></li><li><a href="/iep/iep_v1_0">IEP 1.0 Archive</a></li></ul></li><li><a href="/global/sigs/passive-dns">Passive DNS Exchange</a></li><li><a href="/epss">Exploit Prediction Scoring System (EPSS)</a></li></ul></li><li><a href="/resources/papers">Publications</a></li></ul></li><li><a href="/events">Events</a></li><li><a href="/education">Education</a><ul><li><a href="/education/first-training">FIRST Training</a><ul><li><a href="/education/trainings">Training Courses</a></li><li><a href="/education/trainers">FIRST Trainers</a></li></ul></li></ul></li><li><a href="/blog">Blog</a></li></ul> </div> </div> <div id="home-buttons"> <p><a href="/join" data-title="Join"><img alt="Join" src="/_/img/icon-join.svg"><span class="tt-join">Join<span>Details about FIRST membership and joining as a full member or liaison.</span></span></a> <a href="/learn" data-title="Learn"><img alt="Learn" src="/_/img/icon-learn.svg"><span class="tt-learn">Learn<span>Training and workshop opportunities, and details about the FIRST learning platform.</span></span></a> <a href="/participate" data-title="Participate"><img alt="Participate" src="/_/img/icon-participate.svg"><span class="tt-participate">Participate<span>Read about upcoming events, SIGs, and know what is going on.</span></span></a></p> </div></div></div></header><div id="body" data-studio="CU52CV1W8g"><div id="c1" data-studio="Yu8FjCC11g"><p><img src="/cvss/identity/cvss_web.png" alt="CVSS logo" /></p> <h1 id="Common-Vulnerability-Scoring-System-v3-1-Calculator-Use-amp-Design">Common Vulnerability Scoring System v3.1: Calculator Use &amp; Design</h1> <p>This guide covers the following aspects of the CVSS Calculator:</p> <ul> <li><a href="#userguide">Calculator Use</a> - general notes on using the CVSS Calculator.</li> <li><a href="#Changelog">Changelog</a> - a list of changes made to the CVSS Calculator.</li> <li><a href="#techdesign">Technical Design</a> - an explanation of the design and implementation of the CVSS Calculator aimed at people planning to implement their own versions based on the code on this web site.</li> <li><a href="#xml">XML Schema Definition</a> - a schema defining a format for representing a set of CVSS metrics in XML.</li> </ul> <h2 id="Calculator-Use"><a id="userguide"></a>Calculator Use</h2> <p>The CVSS calculator implements the formula defined in the <a href="specification-document">CVSS version 3.1 standard</a>, generating scores based on the metric values you enter. You should refer to the standard for details of the metrics to ensure you pick the correct values for a given vulnerability. Hovering your mouse pointer over metric group names, metric names and metric values displays a summary of the information in the standard. This feature is not available on devices with no pointer, such as touchscreen devices.</p> <p>The standard only defines scores when all Base metrics have values. If one or more Base metrics have no value set, no score is displayed and a reminder that all values first need to be set is shown. Select values for all Base metrics to enable scoring.</p> <p>The standard defines a concise representation of the metric values forming a CVSS score, known as a <em>Vector String</em>. When you have chosen a value for every Base metric, the Vector String will be displayed beneath the Base score. This will be updated as you make further changes to metric values. Right-clicking on the Vector String selects the entire string, making it easier to copy.</p> <p>A Vector String can be passed on the URL to set the calculator metric buttons to the values given in the URL. The Vector String must conform to the format specified in the CVSS v3.1 standard. As per the standard, it must include all Base metrics. Temporal and Environmental metrics are optional and will default to &quot;Not Defined (X)&quot; if not included in the Vector String. It is permissible to include some but not all Temporal and Environmental metrics. An example URL is: <a href="https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L">https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L</a></p> <p>When all Base metrics are chosen, the Vector String is added to the URL (if it wasn't already present), and updated if further metric changes are made. This enables the whole URL to be copied and used to link to the calculator in a way that restores the current metric values and scores.</p> <p>The calculator may not work correctly with Microsoft Internet Explorer.</p> <h2 id="Changelog">Changelog</h2> <p>The following changes have been made to the CVSS Calculator since it was first made available. The changes are listed starting with the most recent.</p> <table cellpadding="0" cellspacing="0" class="data-preview"> <tr class="odd"> <td class="nowrap">10 June 2019</td> <td> <ul> <li>Created the CVSS v3.1 Calculator based on the CVSS v3.0 Calculator code, updated with the changes made between the CVSS v3.0 and CVSS v3.1 standards, mainly changes to metric descriptions and minor modifications to the underlying formulas.</li> </ul> </td> </tr> </table> <h2 id="CVSS-Calculator-Technical-Design"><a id="techdesign"></a>CVSS Calculator Technical Design</h2> <p>This section explains the CVSS Calculator's implementation. This may be useful if you wish to implement your own CVSS calculator based on FIRST's code. Each file is listed with an explanation of how it may be useful in your CVSS calculator implementation.</p> <ul> <li><a href="/cvss/calculator/cvsscalc31.js">cvsscalc31.js</a> - JavaScript routines to calculate Base, Temporal and Environmental scores, given metric values. This is the code most likely to be useful when creating your own CVSS calculator, and is explained in more detail below.</li> <li><a href="/cvss/calculator/3.1">3.1</a> - an HTML interface to the CVSS Calculator. The top and bottom of the HTML code is specific to FIRST's web site and only the code between the HTML comments with the text &quot;CVSS Calculator content start&quot; and &quot;CVSS Calculator end&quot; is available under a permissive license. This code may be useful if you wish to create your own CVSS calculator with a similar interface to FIRST's.</li> <li><a href="/cvss/calculator/cvsscalc31_helptext.js">cvsscalc31_helptext.js</a> - contains the help text that is displayed when hovering over CVSS Calculator items such as metric values. The text is taken from the CVSS v3.1 standard.</li> </ul> <h3 id="JavaScript-Functions-in-cvsscalc31-js">JavaScript Functions in cvsscalc31.js</h3> <p>The following is a summary of available functions. The comments preceding the function definitions in the source code provide more detail.</p> <h4 id="CVSS-calculateCVSSFromMetrics">CVSS.calculateCVSSFromMetrics</h4> <p>Takes Base, Temporal and Environmental metric values as individual parameters and returns: scores for each, severity ratings for each, and a complete Vector String. The input parameters are:</p> <ul> <li>AttackVector, AttackComplexity, PrivilegesRequired, UserInteraction, Scope, Confidentiality, Integrity, Availability,</li> <li>Exploitability, RemediationLevel, ReportConfidence,</li> <li>ConfidentialityRequirement, IntegrityRequirement, AvailabilityRequirement,</li> <li>ModifiedAttackVector, ModifiedAttackComplexity, ModifiedPrivilegesRequired, ModifiedUserInteraction, ModifiedScope,</li> <li>ModifiedConfidentiality, ModifiedIntegrity, ModifiedAvailability</li> </ul> <p>Parameter values are passed in the short format defined in the CVSS v3.1 standard definition of the Vector String. For example, the AttackComplexity parameter should be either &quot;H&quot; or &quot;L&quot;. All Base metrics are mandatory; Temporal and Environmental metrics are optional. The function returns an object. The object always has a Boolean property named &quot;success&quot; that will be &quot;true&quot; if no error occurred. Assuming this to be the case, the following properties are also defined:</p> <ul> <li>baseMetricScore, baseSeverity,</li> <li>temporalMetricScore, temporalSeverity,</li> <li>environmentalMetricScore, environmentalSeverity,</li> <li>vectorString</li> </ul> <p>Each &quot;Score&quot; property contains a number representing the score, each &quot;Severity&quot; property contains a string with the associated severity rating, and the &quot;vectorString&quot; property is a complete Vector String.</p> <p>An example of a call to this function is:</p> <pre><code>var output = CVSS31.calculateCVSSFromMetrics('N','L','N','R','C','L','L','N'); var result; if (output.success === true) { result = "Base score is " + output.baseMetricScore + ". " + "Base severity is " + output.baseSeverity + ". " + "Temporal score is " + output.temporalMetricScore + ". " + "Temporal severity is " + output.temporalSeverity + ". " + "Environmental score is " + output.environmentalMetricScore + ". " + "Environmental severity is " + output.environmentalSeverity + ". " + "Vector string is " + output.vectorString + ". "; } else { result = "An error occurred. The error type is '" + errorType + "' and the metrics with errors are " + errorMetrics + "."; } alert (result);</code></pre> <p>This displays an alert box with the contents:</p> <p>Base score is 6.1. Base severity is Medium. Temporal score is 6.1. Temporal severity is Medium. Environmental score is 6.1. Environmental severity is Medium. Vector string is <span class="nowrap">CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N</span>.</p> <p>Refer to the source code for more details on how errors are returned.</p> <h4 id="CVSS-calculateCVSSFromVector">CVSS.calculateCVSSFromVector</h4> <p>This is similar to the previous function except that it takes a Vector String as input. Outputs are the same, except that additional error types are defined to handle problems in the format of the Vector String.</p> <pre><code>var output = CVSS31.calculateCVSSFromVector("CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N/RL:O/CR:L"); var result; if (output.success === true) { result = "Base score is " + output.baseMetricScore + ". " + "Base severity is " + output.baseSeverity + ". " + "Temporal score is " + output.temporalMetricScore + ". " + "Temporal severity is " + output.temporalSeverity + ". " + "Environmental score is " + output.environmentalMetricScore + ". " + "Environmental severity is " + output.environmentalSeverity + ". " + "Vector string is " + output.vectorString + ". "; } else { result = "An error occurred. The error type is '" + output.errorType + "' and the metrics with errors are " + output.errorMetrics + "."; } alert (result);</code></pre> <p>This displays an alert box with the contents:</p> <p>Base score is 8.6. Base severity is High. Temporal score is 8.2. Temporal severity is High. Environmental score is 6.0. Environmental severity is Medium. Vector string is <span class="nowrap">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N/RL:O/CR:L</span>.</p> <h4 id="CVSS-roundUp1">CVSS.roundUp1</h4> <p>Takes an integer as input and returns it rounded up to one decimal place. An example of a call to this function is:</p> <pre><code>alert (CVSS31.roundUp1(3.141));</code></pre> <p>This displays an alert box with the contents:</p> <p>3.2</p> <h4 id="CVSS-severityRating">CVSS.severityRating</h4> <p>Takes a CVSS score as input and returns the severity rating name associated with that score. An example of a call to this function is:</p> <pre><code>var rating = CVSS31.severityRating(4.8); var result; if (typeof rating === 'string') { result = "Returned severity rating is " + rating; } else if (typeof rating === 'undefined') { result = "The input is not within the range of any defined severity rating."; } else { result = "The input is not recognized as a number."; } alert (result);</code></pre> <p>This displays an alert box with the contents:</p> <p>Returned severity rating is Medium.</p> <h4 id="CVSS-generateXMLFromMetrics">CVSS.generateXMLFromMetrics</h4> <p>This is a rudimentary function to demonstrate how an XML representation of a given set of metric values can be generated. The inputs and errors are the same as for the <a href="#calculatecvssfrommetrics">CVSS.calculateCVSSFromMetrics</a> function. The output is a string containing an XML representation of the metric values passed. If no error occurs, the string will be available in the <strong>xmlString</strong> property of the returned object.</p> <p>An example of a call to this function is:</p> <pre><code>var output = CVSS31.generateXMLFromMetrics('N','L','N','R','C','L','L','N',undefined,'W'); var result; if (output.success === true) { result = output.xmlString; } else { result = "An error occurred. The error type is '" + errorType + "' and the metrics with errors are " + errorMetrics + "."; } alert (result);</code></pre> <p>This displays an alert box whose contents begin with:</p> <pre><code>&lt;?xml version="1.0" encoding="UTF-8"?&gt; &lt;cvssv3.1 xmlns="https://www.first.org/cvss/cvss-v3.1.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="https://www.first.org/cvss/cvss-v3.1.xsd https://www.first.org/cvss/cvss-v3.1.xsd" &gt; &lt;base_metrics&gt; &lt;attack-vector&gt;NETWORK&lt;/attack-vector&gt; &lt;attack-complexity&gt;LOW&lt;/attack-complexity&gt; &lt;privileges-required&gt;NONE&lt;/privileges-required&gt; …</code></pre> <p>Refer to the source code for more details on how errors are returned.</p> <h4 id="CVSS-generateXMLFromVector">CVSS.generateXMLFromVector</h4> <p>This is a rudimentary function to demonstrate how an XML representation of a given Vector String can be generated. It is similar to the previous function except that it takes a Vector String as input. Outputs are the same, except that additional error types are defined to handle problems in the format of the Vector String.</p> <p>An example of a call to this function is:</p> <pre><code>var output = CVSS31.generateXMLFromVector('CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/RL:W'); var result; if (output.success === true) { result = output.xmlString; } else { result = "An error occurred. The error type is '" + errorType + "' and the metrics with errors are " + errorMetrics + "."; } alert (result);</code></pre> <p>This displays an alert box whose contents begin with:</p> <pre><code>&lt;?xml version="1.0" encoding="UTF-8"?&gt; &lt;cvssv3.1 xmlns="https://www.first.org/cvss/cvss-v3.1.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="https://www.first.org/cvss/cvss-v3.1.xsd https://www.first.org/cvss/cvss-v3.1.xsd" &gt; &lt;base_metrics&gt; &lt;attack-vector&gt;NETWORK&lt;/attack-vector&gt; &lt;attack-complexity&gt;LOW&lt;/attack-complexity&gt; &lt;privileges-required&gt;NONE&lt;/privileges-required&gt; …</code></pre> <p>Refer to the source code for more details on how errors are returned.</p> <h2 id="XML-Schema-Definition"><a id="xml"></a>XML Schema Definition</h2> <p>It is sometimes useful to represent the CVSS metric values and scores for a vulnerability in XML format, e.g. to transfer CVSS data between systems. CVSS v3.1 has an XML Schema Definition (XSD) that defines an XML format for CVSS v3.1 vulnerabilities. The <a href="#generatexmlfrommetrics">CVSS.generateXMLFromMetrics</a> and <a href="#generatexmlfromvector">CVSS.generateXMLFromVector</a> functions output a given set of CVSS metrics in this XML format, and maybe a useful starting point if you wish to use XML. The following XSD files are available:</p> <ul> <li><a href="https://www.first.org/cvss/cvss-v3.1.xsd">https://www.first.org/cvss/cvss-v3.1.xsd</a> - the XSD for CVSS v3.1.</li> <li><a href="https://www.first.org/cvss/cvss-v3.0.xsd">https://www.first.org/cvss/cvss-v3.0.xsd</a> - the XSD for CVSS v3.0.</li> <li><a href="https://nvd.nist.gov/schema/cvss-v2_0.2.xsd">https://nvd.nist.gov/schema/cvss-v2_0.2.xsd</a> - an XSD for CVSS v2.0 hosted on NIST's web site.</li> </ul></div></div><div id="navbar" data-studio="CU52CV1W8g"><div id="c4" data-studio="Yu8FjCC11g"><ul class="navbar"><li><a href="/cvss">Common Vulnerability Scoring System (CVSS-SIG)</a><ul><li><a href="/cvss/calculator/4.0">Calculator</a></li><li><a href="/cvss/v4.0/specification-document">Specification Document</a></li><li><a href="/cvss/v4.0/user-guide">User Guide</a></li><li><a href="/cvss/v4.0/examples">Examples</a></li><li><a href="/cvss/v4.0/faq">Frequently Asked Questions</a></li><li><a href="/cvss/v4-0">CVSS v4.0 Documentation &amp; Resources</a><ul><li><a href="/cvss/calculator/4.0">CVSS v4.0 Calculator</a></li><li><a href="/cvss/v4.0/specification-document">CVSS v4.0 Specification Document</a></li><li><a href="/cvss/v4.0/user-guide">CVSS v4.0 User Guide</a></li><li><a href="/cvss/v4.0/examples">CVSS v4.0 Examples</a></li><li><a href="/cvss/v4.0/faq">CVSS v4.0 FAQ</a></li></ul></li><li><a href="/cvss/v3-1">CVSS v3.1 Archive</a><ul><li><a href="/cvss/calculator/3.1">CVSS v3.1 Calculator</a></li><li><a href="/cvss/v3.1/specification-document">CVSS v3.1 Specification Document</a></li><li><a href="/cvss/v3.1/user-guide">CVSS v3.1 User Guide</a></li><li><a href="/cvss/v3.1/examples">CVSS v3.1 Examples</a></li><li><a href="/cvss/v3.1/use-design">CVSS v3.1 Calculator Use &amp; Design</a></li></ul></li><li><a href="/cvss/v3-0">CVSS v3.0 Archive</a><ul><li><a href="/cvss/calculator/3.0">CVSS v3.0 Calculator</a></li><li><a href="/cvss/v3.0/specification-document">CVSS v3.0 Specification Document</a></li><li><a href="/cvss/v3.0/user-guide">CVSS v3.0 User Guide</a></li><li><a href="/cvss/v3.0/examples">CVSS v3.0 Examples</a></li><li><a href="/cvss/v3.0/use-design">CVSS v3.0 Calculator Use &amp; Design</a></li></ul></li><li><a href="/cvss/v2">CVSS v2 Archive</a><ul><li><a href="/cvss/v2/guide">CVSS v2 Complete Documentation</a></li><li><a href="/cvss/v2/history">CVSS v2 History</a></li><li><a href="/cvss/v2/team">CVSS-SIG team</a></li><li><a href="/cvss/v2/meetings">SIG Meetings</a></li><li><a href="/cvss/v2/faq">Frequently Asked Questions</a></li><li><a href="/cvss/v2/adopters">CVSS Adopters</a></li><li><a href="/cvss/v2/links">CVSS Links</a></li></ul></li><li><a href="/cvss/v1">CVSS v1 Archive</a><ul><li><a href="/cvss/v1/intro">Introduction to CVSS</a></li><li><a href="/cvss/v1/faq">Frequently Asked Questions</a></li><li><a href="/cvss/v1/guide">Complete CVSS v1 Guide</a></li></ul></li><li><a href="/cvss/data-representations">JSON &amp; XML Data Representations</a></li><li><a href="/cvss/training">CVSS On-Line Training Course</a></li><li><a href="/cvss/identity">Identity &amp; logo usage</a></li></ul></li></ul></div></div><div id="sidebar" data-studio="CU52CV1W8g"></div><footer><div id="footer" data-studio="CU52CV1W8g"><div id="c2" data-studio="Yu8FjCC11g"><div class="content"> <div class="support"> <div class="kbsearch bottom"> <p><a href="https://support.first.org"><img src="/_/img/icon-portal_support.svg" alt="FIRST Support" title="FIRST Support" /></a> <input class="kb-search" type="search" placeholder="Do you need help?"></p> </div> </div> <div id="socialnetworks"><a href="/about/sdg" title="FIRST Supported Sustainable Development Goals (SDG)" class="icon-sdg"></a><a rel="me" href="https://infosec.exchange/@firstdotorg" target="_blank" title="@FIRSTdotOrg@infosec.exchange" class="icon-mastodon"></a><a href="https://twitter.com/FIRSTdotOrg" target="_blank" title="Twitter @FIRSTdotOrg" class="icon-tw"></a><a href="https://www.linkedin.com/company/firstdotorg" target="_blank" title="FIRST.Org at LinkedIn" class="icon-linkedin"></a><a href="https://www.facebook.com/FIRSTdotorg" target="_blank" title="FIRST.Org at Facebook" class="icon-fb"></a><a href="https://github.com/FIRSTdotorg" target="_blank" title="FIRST.Org at Github" class="icon-github"></a><a href="https://www.youtube.com/c/FIRSTdotorg" target="_blank" title="FIRST.Org at Youtube" class="icon-youtube"></a><a href="/podcasts" title="FIRST.Org Podcasts" class="icon-podcast"></a></div> <p><a href="/copyright">Copyright</a> © 2015—2024 by Forum of Incident Response and Security Teams, Inc. All Rights Reserved.</p> </div> <p><span class="tlp"></span></p></div></div></footer><script nonce="AshLyAw6xG_-qdeZJCMT7A" async="async" src="/_/web.js?20241125212614"></script><script nonce="AshLyAw6xG_-qdeZJCMT7A" async="async" src="/_/s.js?20241125-212616"></script></body></html>

Pages: 1 2 3 4 5 6 7 8 9 10