CVSS 3.1 Vector Reference
Format
CVSS:3.1/AV:[N|A|L|P]/AC:[L|H]/PR:[N|L|H]/UI:[N|R]/S:[U|C]/C:[N|L|H]/I:[N|L|H]/A:[N|L|H]
Score by Severity Tier
| Severity | Score Range | Typical Vector Example | Score |
|---|---|---|---|
| CRITICAL | 9.0–10.0 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 9.8 |
| CRITICAL | 9.0–10.0 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H | 10.0 |
| HIGH | 7.0–8.9 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 8.8 |
| HIGH | 7.0–8.9 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | 7.5 |
| HIGH | 7.0–8.9 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 7.8 |
| MEDIUM | 4.0–6.9 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N | 6.5 |
| MEDIUM | 4.0–6.9 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | 5.4 |
| MEDIUM | 4.0–6.9 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N | 5.9 |
| LOW | 0.1–3.9 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N | 4.3 |
| LOW | 0.1–3.9 | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N | 2.5 |
| INFO | 0.0 | N/A — informational only | 0.0 |
Pre-built Vectors by Vulnerability Type
Pre-auth RCE (internet-facing): AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H = 9.8
Post-auth RCE (authenticated): AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H = 8.8
SQLi (data exfil possible): AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N = 8.1
SQLi (read-only): AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N = 6.5
Stored XSS (unauthenticated): AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N = 6.1
Stored XSS (post-auth): AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N = 5.4
Reflected XSS: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N = 6.1
SSRF (internal access): AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N = 7.2
SSRF (cloud metadata): AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N = 9.6
Path traversal (file read): AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N = 7.5
LPE (local exploit): AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H = 7.8
Insecure deserialization: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H = 8.1
IDOR (sensitive data): AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N = 6.5
IDOR (data modification): AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N = 8.1
Auth bypass (admin access): AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N = 9.1
Weak JWT (crackable secret): AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N = 7.4
Hardcoded credentials: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N = 9.1
Open redirect: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N = 6.1
Directory listing: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N = 5.3
Information disclosure: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N = 5.3
Missing HTTPS: AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N = 4.8
CSRF (state-changing): AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N = 6.5
Executive Summary Template (1 Page)
## Executive Summary
[CLIENT NAME] engaged [FIRM NAME] to conduct a [TYPE: internal/external/web application/full-scope]
penetration test of [SCOPE DESCRIPTION] between [START DATE] and [END DATE].
### Risk Posture
During the assessment, [FIRM NAME] identified **[N] findings** across [M] systems,
including **[X] Critical**, **[Y] High**, **[Z] Medium**, **[W] Low**, and **[V] Informational** vulnerabilities.
The overall risk posture is assessed as: **[CRITICAL | HIGH | MEDIUM | LOW]**
### Key Findings
The most significant finding was **[FINDING TITLE]**, which allowed testers to [IMPACT DESCRIPTION —
e.g., "gain unauthenticated remote code execution on the production API server and access
the customer database containing [N] records"].
Additional critical findings included:
- **[Finding 2]**: [One-sentence impact]
- **[Finding 3]**: [One-sentence impact]
### Business Impact
Exploitation of the identified vulnerabilities could result in:
- Unauthorized access to sensitive customer data (regulatory impact: GDPR, PCI-DSS)
- Complete compromise of [SYSTEM] infrastructure
- Reputational damage and loss of customer trust
- [SPECIFIC DOLLAR/OPERATIONAL IMPACT IF QUANTIFIABLE]
### Remediation Priority
| Priority | Timeline | Actions |
|----------|----------|---------|
| Immediate (0-7 days) | Patch [CVE], revoke [credential], disable [service] |
| Short-term (8-30 days) | Implement [control], remediate [N] High findings |
| Medium-term (31-90 days) | Address [N] Medium findings, establish [process] |
[FIRM NAME] is available to provide remediation guidance and conduct a retest upon completion.
Technical Finding Template
---
## [ID]: [SEVERITY] — [Vulnerability Title]
| Field | Value |
|-------|-------|
| **Severity** | CRITICAL / HIGH / MEDIUM / LOW / INFO |
| **CVSS 3.1 Score** | [SCORE] ([CVSS:3.1/AV:.../...]) |
| **CWE** | CWE-[NUMBER]: [NAME] |
| **ATT&CK TTP** | [T-NUMBER]: [TECHNIQUE NAME] |
| **Affected Asset** | [IP / URL / Component] |
| **CVE** | CVE-XXXX-XXXXX (if applicable) |
| **Date Identified** | [UTC DATE] |
### Description
[2-4 sentence technical description of the vulnerability. Explain what it is, why it exists,
and what conditions allow it to be exploited. Avoid jargon that a non-technical reader
cannot follow in the executive summary.]
### Business Impact
[1-2 sentences describing the business consequence if this vulnerability is exploited.
Frame in terms of data confidentiality, regulatory requirements, operational availability,
or financial impact.]
### Steps to Reproduce
**Prerequisites:** [Access level required, e.g., "Unauthenticated" / "Valid user account"]
1. Navigate to `[URL]` using a web browser or send the following request:
```http
[REQUEST METHOD] [PATH] HTTP/1.1
Host: [HOST]
[HEADERS]
[BODY IF APPLICABLE]
-
[Step 2 description]
-
The application responds with:
[RESPONSE SNIPPET or COMMAND OUTPUT] -
[Step describing the impact demonstration]
Evidence
- Screenshot/Output:
evidence/[DATE]/[TARGET]/[category]/[filename] - Request/Response:
evidence/[DATE]/[TARGET]/[category]/[filename].http - Video recording:
evidence/[DATE]/[TARGET]/[category]/[filename].mp4(if captured)
Remediation
Immediate Actions:
- [Specific immediate mitigation step — e.g., "Disable the affected endpoint at the WAF layer"]
- [Second immediate step if needed]
Long-term Fix: [Specific code-level or configuration-level remediation. Include version number to upgrade to, configuration value to set, or code pattern to implement.]
Verification: [How to confirm the fix is effective — e.g., "Re-run the proof of concept steps above; the server should return HTTP 403 or equivalent error."]
References
- [CVE link or NVD URL if applicable]
- [Vendor advisory URL]
- [OWASP / CWE / NIST link]
- [ATT&CK technique URL: https://attack.mitre.org/techniques/T-NUMBER/]
---
## 5×5 Risk Matrix
```markdown
## Risk Matrix
| | **Negligible (1)** | **Minor (2)** | **Moderate (3)** | **Major (4)** | **Catastrophic (5)** |
|---|---|---|---|---|---|
| **Almost Certain (5)** | MEDIUM 5 | HIGH 10 | HIGH 15 | CRITICAL 20 | CRITICAL 25 |
| **Likely (4)** | LOW 4 | MEDIUM 8 | HIGH 12 | HIGH 16 | CRITICAL 20 |
| **Possible (3)** | LOW 3 | MEDIUM 6 | MEDIUM 9 | HIGH 12 | HIGH 15 |
| **Unlikely (2)** | LOW 2 | LOW 4 | MEDIUM 6 | MEDIUM 8 | HIGH 10 |
| **Rare (1)** | INFO 1 | LOW 2 | LOW 3 | LOW 4 | MEDIUM 5 |
*Score = Likelihood × Impact*
Remediation Language Bank (Top 20 Vulnerability Types)
SQL Injection
Implement parameterized queries (prepared statements) for all database interactions. Do not construct SQL queries using string concatenation with user-supplied input. Apply input validation with allowlists at the application layer. Deploy a WAF rule to detect and block common SQL injection patterns as a defense-in-depth measure.
Cross-Site Scripting (XSS)
Implement context-sensitive output encoding for all user-controlled data rendered in HTML, JavaScript, CSS, and URL contexts. Use a Content Security Policy (CSP) header that rest