Simple CVSS v3.1 Base Score Calculator
The Common Vulnerability Scoring System (CVSS) is an industry standard for assessing the severity of security vulnerabilities. This interactive calculator helps security professionals, penetration testers, and researchers quickly calculate CVSS v3.1 base scores and generate proper vector strings.
Why make this? I wanted something that was easy to use and always with me. This generator is a simple flat html file, which means even without internet access I can run it locally in my browser and generate scores if need be.
Limitations
- This calculator only covers Base Metrics (not Temporal or Environmental, however you only need Base Metrics to caclulate a score) so it is targeted at pentesters.
- CVSS scores are not a substitute for professional judgment, you need to always consider organizational context and business impact
Understanding CVSS v3.1
I would recommend you read my article here https://bloodstiller.com/articles/understandingcvssscoring as I explain the scoring system in depth.
CVSS v3.1 consists of three metric groups:
- Base Metrics - Intrinsic characteristics of a vulnerability
- Temporal Metrics - Characteristics that change over time
- Environmental Metrics - Characteristics specific to an organization’s environment
This calculator focuses on the Base Metrics, primarily as these are the only required metrics required to generate a CVSS score.
Base Score Metrics Quick Reference:
Sometimes when scoring the different metrics can overwhelming so here is a simple quick reference.
| Metric | Values | Description |
|---|---|---|
| Attack Vector | Network, Adjacent, Local, Physical | Where the attacker needs to be |
| Attack Complexity | Low, High | How difficult the attack is to execute |
| Privileges Required | None, Low, High | What access the attacker needs |
| User Interaction | None, Required | Whether user action is needed |
| Scope | Changed, Unchanged | Whether other systems are affected |
| Confidentiality | None, Low, High | Impact on data confidentiality |
| Integrity | None, Low, High | Impact on data integrity |
| Availability | None, Low, High | Impact on system availability |
Severity Ratings
CVSS scores are categorized into severity levels:
- 0.0: None
- 0.1 - 3.9: Low
- 4.0 - 6.9: Medium
- 7.0 - 8.9: High
- 9.0 - 10.0: Critical
CVSS Vector String
The calculator generates a CVSS vector string in the format:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
This standardized format allows for easy sharing and comparison of vulnerability assessments across different tools and platforms.
Usage Examples
Example 1: Remote Code Execution Vulnerability
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Confidentiality: High
- Integrity: High
- Availability: High
Result: Score 10.0 (Critical)
Example 2: Information Disclosure Vulnerability
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Confidentiality: High
- Integrity: None
- Availability: None
Result: Score 7.5 (High)
Additional Resources
Bloodstiller