diff --git a/trainingportal/qna.js b/trainingportal/qna.js
index 83f578e7..268909e6 100644
--- a/trainingportal/qna.js
+++ b/trainingportal/qna.js
@@ -231,6 +231,34 @@ let analysisEnc = (mes) => {
return getRes(goldenKey, cipher);
}
+let cvss_3_score_1 = () => {
+ return {"digest": getDigest("CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N")};
+}
+
+let cvss_4_score_2 = () => {
+ return {"digest": getDigest("CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N")};
+}
+
+let cvss_5_chain = () => {
+ return {"digest": getDigest("CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N")};
+}
+
+let cvss_6_score_3 = () => {
+ return {"digest": getDigest("CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N")};
+}
+
+let cvss_7_score_4 = () => {
+ return {"digest": getDigest("CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N")};
+}
+
+let cvss_8_score_5 = () => {
+ return {"digest": getDigest("CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N")};
+}
+
+let cvss_9_score_6 = () => {
+ return {"digest": getDigest("CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N")};
+}
+
const DEFS = {
"crypto_caesar": caesarEnc,
"crypto_vigenere": vigenereEnc,
@@ -239,7 +267,14 @@ const DEFS = {
"crypto_hash": hashEnc,
"crypto_xor": xorEnc,
"crypto_pbk": pbkEnc,
- "crypto_analysis": analysisEnc
+ "crypto_analysis": analysisEnc,
+ "cvss_3_score_1": cvss_3_score_1,
+ "cvss_4_score_2": cvss_4_score_2,
+ "cvss_5_chain": cvss_5_chain,
+ "cvss_6_score_3": cvss_6_score_3,
+ "cvss_7_score_4": cvss_7_score_4,
+ "cvss_8_score_5": cvss_8_score_5,
+ "cvss_9_score_6": cvss_9_score_6
}
module.exports = {
diff --git a/trainingportal/static/lessons/cvss/cvss_1_intro.md b/trainingportal/static/lessons/cvss/cvss_1_intro.md
new file mode 100644
index 00000000..8ae7763d
--- /dev/null
+++ b/trainingportal/static/lessons/cvss/cvss_1_intro.md
@@ -0,0 +1,307 @@
+## The Common Vulnerability Scoring System (CVSS)
+
+
+
+The Common Vulnerability Scoring System (CVSS) is an *open framework for communicating the characteristics and severity of software vulnerabilities*. You can find the most complete and up-to-date information on CVSS at [https://www.first.org/cvss/](https://www.first.org/cvss/). The current version of the CVSS specification is CVSS v4 with CVSS v3 still being widely used. CVSS provides a standardized vendor agnostic and platform agnostic methodology and produces a CVSS Score value between 0 and 10 and a CVSS rating:
+
+- 9.0 - 10.0 Critical
+- 7.0 - 8.9 High
+- 4.0 - 6.9 Medium
+- 0.1 - 3.9 Low
+- 0.0 None
+
+
+
+The CVSS score is produced by choosing the corresponding values for each CVSS metric (metrics will be covered in detail later in this chapter). The final set of all metrics is represented in the so called CVSS Vector e.g. `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N`. This example is decoded as:
+
+- `AV:N` -> Attack Vector (AV): Network (N)
+- `AC:L` -> Attack Complexity (AC): Low (L)
+- `AT:N` -> Attack Requirements (AT): None (N)
+- `PR:N` -> Privileges Required (PR): None (N)
+- `UI:N` -> User Interaction (UI): None (N)
+- `VC:H` -> Vulnerable System Confidentiality (VC): High (H)
+- `VI:H` -> Vulnerable System Integrity (VI): High (H)
+- `VA:N` -> Vulnerable System Availability (VA): None (N)
+- `SC:N` -> Subsequent System Confidentiality (SC): None (N)
+- `SI:N` -> Subsequent System Integrity (SI): None (N)
+- `SA:N` -> Subsequent System Availability (SA): None (N)
+
+Just by looking at the CVSS Vector, we can understand the (high-level) story behind the vulnerability. In this example we can see that: An unauthenticated attacker (`AV:N/AC:L/AT:N/PR:N/UI:N`) can read and write sensitive data (`VC:H/VI:H/VA:N`).
+
+
+
+---
+
+### It is important to note that CVSS `is not a` *Risk Score*.
+
+
+
+CVSS gives us a **technical score** of a vulnerability. It does **NOT** deal with any business, financial, health or any other form of risk. To better understand this, consider the following example:
+
+ - 2 different vulnerabilities
+ - The same CVSS score of 9.0 Critical
+ - One of those is in a music player / sound device
+ - The other is in a medical software responsible for delivering health-critical medical services to patients
+
+The CVSS specification explicitly covers that vulnerability management should consider factors that are outside of CVSS:
+
+ Consumers may use CVSS information as input to an organizational vulnerability management
+ process that also considers factors that are not part of CVSS in order to rank the threats
+ to their technology infrastructure and make informed remediation decisions. Such factors may
+ include, but are not limited to: regulatory requirements, number of customers impacted,
+ monetary losses due to a breach, life or property threatened, or reputational impacts of a
+ potential exploited vulnerability. These factors are outside the scope of CVSS.
+
+---
+
+
+
+## CVSS Metric Groups
+
+
+
+CVSS v4 has 4 metric groups:
+
+- Base.
+ - Intrinsic characteristics
+ - Constant over time
+ - Assumes reasonable worst-case impact
+- Threat.
+ - The current state of exploitability and remediation
+ - Can only go lower than the Base score
+- Environmental.
+ - Adjusted to specific environment
+ - Considers mitigating factors
+ - Considers adverse effects
+ - Can go higher or lower than the Base score
+- Supplemental.
+ - Context and additional extrinsic attributes
+ - No impact on the CVSS score
+
+For the remainder of this chapter, we will be focusing only on the Base metric group as it provides the most robust measure of a vulnerability's characteristics. The Environmental group is also very effective for adjusting the exploitability and impact metrics for a particular environment and can be viewed as a modification to the Base metric.
+
+
+## CVSS Base Score
+
+CVSS Base metrics go into 2 broad categories:
+
+- **Exploitability**. How easy/hard it is to exploit the vulnerability and what the prerequisites are.
+ - `Attack Vector (AV)`
+ - `Attack Complexity (AC)`
+ - `Attack Requirements (AT)`
+ - `Privileges Required (PR)`
+ - `User Interaction (UI)`
+- **Impact**. The security properties being violated.
+ - *Vulnerable System*. The system that has the vulnerability.
+ - `Confidentialiy (VC)`
+ - `Integrity (VI)`
+ - `Availability (VA)`
+ - *Subsequent System*. Other dependent system(s) being impacted.
+ - `Confidentiality (SC)`
+ - `Integrity (SI)`
+ - `Availability (SA)`
+
+
+
+### Exploitability Metrics
+
+#### [Attack Vector (AV)](https://www.first.org/cvss/v4-0/specification-document#Attack-Vector-AV)
+- **Question**: From where can an attacker execute the attack?
+- **Values**:
+ - Network (`N`)
+ - Remotely over the network
+ - **Examples**:
+ - Web-based attacks
+ - Adjacent (`A`)
+ - Local/Adjacent network (physical or logical)
+ - **Examples**:
+ - Physical proximity
+ - Bluetooth
+ - WiFi
+ - Logical proximity
+ - ARP
+ - DHCP
+ - Local (`L`)
+ - Not bound to the network stack
+ - **Examples**:
+ - Vulnerable lock screen
+ - Malware infected document
+ - Local Privilege Escalation (LPE)
+ - Physical (`P`)
+ - Physical access to the device
+ - **Examples**:
+ - Malicious USB device
+ - Evil Maid attacks
+
+#### [Attack Complexity (AC)](https://www.first.org/cvss/v4-0/specification-document#Attack-Complexity-AC)
+
+- **Question**: What are the requirements for bypassing security-enhancing conditions/controls?
+- **Values**:
+ - Low (`L`)
+ - The attack requires no target-specific defense circumvention
+ - **Examples**:
+ - Most web attacks
+ - High (`H`)
+ - The attack requires evasion or circumvention of security-enhancing techniques in place that would otherwise hinder the attack:
+ - address space layout randomization (ASLR)
+ - data execution prevention (DEP)
+ - Obtaining target-specific secrets
+ - **Examples**:
+ - [regreSSHion CVE-2024-6387](https://www.first.org/cvss/v4-0/examples#regreSSHion-CVE-2024-6387)
+ - Attackers must defeat memory safety defenses in order to achieve code execution
+
+**NOTE**: It is important to note that Attack Complexity is **not** related to exploit complexity. A proof-of-concept for exploiting a vulnerability may be a sophisticated piece of code itself, but that does not necessarily have effect on the Attack Complexity metric. You should ask not "How hard would it be for someone to design the exploit code?", but instead ask "How hard would it be for someone having access to the exploit code to overcome the security conditions in order for this attack to work?"
+
+#### [Attack Requirements (AT)](https://www.first.org/cvss/v4-0/specification-document#Attack-Requirements-AT)
+
+- **Question**: Are there any non-security-specific conditions that need to be overcome?
+- **Values**:
+ - None (`N`)
+ - No special requirements or conditions
+ - **Examples**:
+ - Most web attacks
+ - Present (`P`)
+ - The attack requires the presence of a specific condition that is not always present
+ - **Examples**:
+ - Race condition requiring a very specific timing window
+ - Man-in-the-Middle (MitM) attacks
+
+#### [Privileges Required (PR)](https://www.first.org/cvss/v4-0/specification-document#Privileges-Required-PR)
+
+- **Question**: What privileges does an attacker need (themselves, not the victim)?
+- **Values**:
+ - None (`N`)
+ - No need for authentication
+ - **Examples**:
+ - SQL injection on the login page
+ - Low (`L`)
+ - Authentication required, but only low privileges
+ - **Examples**:
+ - Low-privileged user can access the admin panel
+ - Logged in attacker is able to change other users’ data
+ - High (`H`)
+ - Attacker needs significant privileges (e.g. admin)
+ - **NOTE**: In CVSS we only measure the impact of a vulnerability in terms of what is gained by exploiting it. It wouldn't make sense to score legitimate administrative capabilities as impact.
+ - **Examples**:
+ - Exploit only possible through the admin panel of a Web app
+ - Change of scope vulnerabilities such as a privileged user on a VM/container can escape into the host and execute commands there
+
+#### [User Interaction (UI)](https://www.first.org/cvss/v4-0/specification-document#User-Interaction-UI)
+
+- **Question**: What are the requirements on the user/victim for the attack to succeed?
+- **Values**:
+ - None (`N`)
+ - Attacker can exploit without any interaction from any user/victim
+ - **Examples**:
+ - SQL injection on the login page
+ - Passive (`P`)
+ - Requires only limited interaction or normal/ordinary user behaviour
+ - **Examples**:
+ - A user will be compromised if they simply open a malicious message/email/sms within the application (not having to further follow any links)
+ - A malicious user can change their user info so that an account takeover occurs whenever the admin user generates reports (assuming report generation is a normal/expected activity)
+ - A stored cross-site scripting (XSS) in the default dashboard that loads after user log-in
+ - Active (`A`)
+ - Requires a behaviour that is out of the ordinary, against recommended guidance, or subverting security controls
+ - **Examples**:
+ - An email with malicious attachment that the victim needs to explicitly download and execute
+ - The user must explicitly accept/override a security warning such as certificate/TLS issues reported by the browser
+ - Reflected cross-site scripting (XSS) where the victim needs to follow a malicious link
+
+### Impact Metrics
+
+#### CIA
+
+In CVSS impact is measured against the security properties:
+
+- **Confidentiality (C)**. Attackers can't read data.
+- **Integrity (I)**. Attackers can't modify data.
+- **Availability (A)**. Attackers can't disrupt the service.
+
+Impact is only measured in terms of what is gained by exploiting a vulnerability. For example, a vulnerability that allows a read-only user to modify some data should only be scored with Integrity impact. The impact should be contained to what can be proven or reasonably expected.
+
+**NOTES**:
+
+- Brute-forcing cryptographically secure algorithms with sufficient key size and entropy should be considered neither reasonable nor practical
+- Finding a collision in a hashing function known to be broken (such as SHA-1) has to be considered reasonable (as proven in the shattered attack), even if not computationally/financially feasible for non-financially capable attackers.
+
+#### Scope (Vulnerable System Impact vs Subsequent System Impact)
+
+CVSS v4 introduces separate impact scores for the Vulnerable (`V`) system and Subsequent (`S`) systems (previously in CVSS v3 this used to be marked by a Scope (`S`) metric).
+
+The CVSS documentation includes a [CVSS User Guide](https://www.first.org/cvss/v4-0/user-guide#Vulnerable-System-and-Subsequent-System) with some examples on scope scoring.
+
+Examples of change of scope (vulnerable to subsequent) for impact:
+
+- vulnerability in a virtualization hypervisor that allows a virtual machine "escape" from the VM onto the host (similarly, container escape)
+- cross-site scripting (XSS) vulnerabilities. The vulnerable system is the web server, but the impacted system (i.e. subsequent) is the victim's web browser.
+
+#### [Confidentiality (VC/SC)](https://www.first.org/cvss/v4-0/specification-document#Confidentiality-VC-SC)
+
+- **Security Property**. Attackers can't read data.
+- **Values**:
+ - None (`N`)
+ - No impact
+ - Low (`L`)
+ - Read access to some restricted data:
+ - No control over which data
+ - Amount/kind is limited
+ - **Examples**:
+ - Attacker can read internal debug messages and see some internal details (e.g. IP addresses), but no secrets or critical information
+ - Attacker can see user statistics
+ - High (`H`)
+ - Read all data or critical data
+ - **Examples**:
+ - SQL injection allowing database dump of the whole database
+ - Attacker can read another user's access tokens
+
+#### [Integrity (VI/SI)](https://www.first.org/cvss/v4-0/specification-document#Integrity-VI-SI)
+
+- **Security Property**. Attackers can't modify data.
+- **Values**:
+ - None (`N`)
+ - No impact
+ - Low (`L`)
+ - Read access to some restricted data:
+ - No control over which data
+ - Amount/kind is limited
+ - **Examples**:
+ - Attacker can change another user's avatar image
+ - High (`H`)
+ - Modify all data or critical data
+ - **Examples**:
+ - SQL injection allowing database modifications
+ - Attacker can set another user's authentication details (e.g. password, tokens)
+
+
+#### [Availability (VA/SA)](https://www.first.org/cvss/v4-0/specification-document#Availability-VA-SA)
+
+- **Security Property**. Attackers can't disrupt the service.
+- **Values**:
+ - None (`N`)
+ - No impact
+ - Low (`L`)
+ - Some impact (performance) or partial impact
+ - **Examples**:
+ - Computationally intensive cryptographic operation can be abused to partially overload the CPU and cause slower server responses, but cannot completely deny the service
+ - Attacker can deny some non-critical functionality e.g. report generation
+ - High (`H`)
+ - Full service denial or critical parts being denied
+ - Fully deny access
+ - Sustained (for the duration of the attack)
+ - Persistent (even after the attack)
+ - Deny only access to some critical resources
+ - User login sessions
+ - **Examples**:
+ - Attacker can abuse a particular operation that would overload the server and prevent it from serving clients for the next 10 seconds. The attacker can sustain the attack with 1 request every 9-10 seconds.
+ - Attacker can send a malformed request the would crash the server. The service will no longer be available until it is manually restarted.
+ - Attacker can break the login functionality. Existing sessions remain intact, but users cannot sign in anymore (sustained or persistent).
+
+
+---
+
+**Resources**:
+
+ - CVSS Documentation: [https://www.first.org/cvss/](https://www.first.org/cvss/)
+ - CVSS 4.0 Calculator: [https://www.first.org/cvss/calculator/4-0](https://www.first.org/cvss/calculator/4-0)
+ - CVSS Examples: [https://www.first.org/cvss/v4-0/examples](https://www.first.org/cvss/v4-0/examples)
+ - CVSS User Guide: [https://www.first.org/cvss/v4-0/user-guide](https://www.first.org/cvss/v4-0/user-guide)
diff --git a/trainingportal/static/lessons/cvss/cvss_1_intro.sol.md b/trainingportal/static/lessons/cvss/cvss_1_intro.sol.md
new file mode 100644
index 00000000..a739af78
--- /dev/null
+++ b/trainingportal/static/lessons/cvss/cvss_1_intro.sol.md
@@ -0,0 +1 @@
+The CVSS specification is available at [https://www.first.org/cvss/](https://www.first.org/cvss/).
\ No newline at end of file
diff --git a/trainingportal/static/lessons/cvss/cvss_2_case_studies.md b/trainingportal/static/lessons/cvss/cvss_2_case_studies.md
new file mode 100644
index 00000000..447b2499
--- /dev/null
+++ b/trainingportal/static/lessons/cvss/cvss_2_case_studies.md
@@ -0,0 +1,113 @@
+## [CVE-2025-4427](https://nvd.nist.gov/vuln/detail/CVE-2025-4427)
+
+### Description
+An authentication bypass in the API component of Ivanti Endpoint Manager Mobile 12.5.0.0 and prior allows attackers to access protected resources without proper credentials via the API.
+
+### CVSS Score
+
+**NOTE:** The official NVD entry for this vulnerability contains 2 separate CVSS scores: one provided by the vendor and one provided by the National Vulnerability Database (NVD). The discrepancy here is in the impact metric for `Confidentiality`. The vendor claims `Low` impact, while the NVD claims `High` impact. This example demonstrates how even the technical aspects alone can be subject to interpretation and discussion.
+
+#### Vulnerability Dissection
+
+Looking at the description, we can inform some of the CVSS metrics:
+
+- `authentication bypass in the API` and `without proper credentials`
+ - Attack Vector: Network (`AV:N`) *(assuming a Web API)*
+ - Privileges Required: None (`PR:N`)
+- `access protected resources`
+ - Confidentiality: High (`VC:H`)
+
+The rest we can keep with the CVSS defaults i.e. no exploitability requirements and no impact.
+
+#### CVE Official CVSS v3.1 Score
+NVD: 7.5 High [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N](https://www.first.org/cvss/calculator/3-1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
+
+#### Proposed CVSS v4.0 Score
+
+8.7 High [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N](https://www.first.org/cvss/calculator/4-0#CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N)
+
+
+
+---
+
+## [CVE-2020-4004](https://nvd.nist.gov/vuln/detail/CVE-2020-4004)
+
+### Description
+
+VMware ESXi (7.0 before ESXi70U1b-17168206, 6.7 before ESXi670-202011101-SG, 6.5 before ESXi650-202011301-SG), Workstation (15.x before 15.5.7), Fusion (11.x before 11.5.7) contain a use-after-free vulnerability in the XHCI USB controller. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host.
+
+### CVSS Score
+
+#### Vulnerability Dissection
+
+Looking at the description, we can inform some of the CVSS metrics:
+
+- `local administrative privileges`
+ - Attack Vector: Local (`AV:L`)
+ - Privileges Required: High (`PR:H`)
+- `on a virtual machine` and `virtual machine's VMX process running on the host`
+ - Scope: Changed (`S:C`) in CVSS v3
+ - Subsequent System impact in CVSS v4
+- `VMX process`
+ - The VMX process is a privileged process on the host, so all impact is High (`VC:H/VI:H/VA:H/SC:H/SI:H/SA:H`)
+
+#### CVE Official CVSS v3.1 Score
+NVD: 8.2 High [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H](https://www.first.org/cvss/calculator/3-1#CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)
+
+#### Proposed CVSS v4.0 Score
+9.3 Critical [CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H](https://www.first.org/cvss/calculator/4-0#CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H)
+
+
+
+---
+
+## [CVE-2025-40591](https://nvd.nist.gov/vuln/detail/CVE-2025-40591)
+
+### Description
+
+A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.16.5) ... . The 'Log Viewers' tool in the web interface of affected devices is vulnerable to command injection due to missing server side input sanitation. This could allow an authenticated remote attacker to execute the 'tail' command with root privileges and disclose contents of all files in the filesystem.
+
+### CVSS Score
+
+#### Vulnerability Dissection
+
+Looking at the description, we can inform some of the CVSS metrics:
+
+- `authenticated remote attacker`
+ - Attack Vector: Network (`AV:N`)
+ - Privileges Required: Low (`PR:L`)
+- `disclose contents of all files`
+ - Confidentiality: High (`C:H`)
+ - **Note**: Apart from the files of the application itself, an attacker can also read all files on the host. Hence, we have change of scope from the vulnerable system (the web application) with its own Authentication and Authorization (i.e. security scope) to the subsequent system (the host itself).
+
+#### CVE Official CVSS v4.0 Score
+Siemens AG: 8.3 High [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N](https://www.first.org/cvss/calculator/4-0#CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N)
+
+
+
+---
+
+## [CVE-2025-34124](https://nvd.nist.gov/vuln/detail/CVE-2025-34124)
+
+### Description
+
+A buffer overflow vulnerability exists in Heroes of Might and Magic III Complete 4.0.0.0, HD Mod 3.808 build 9, and Demo 1.0.0.0 via malicious .h3m map files that exploit object sprite name parsing logic. The vulnerability occurs during in-game map loading when a crafted object name causes a buffer overflow, potentially allowing arbitrary code execution. Exploitation requires the victim to open a malicious map file within the game.
+
+### CVSS Score
+
+#### Vulnerability Dissection
+
+Looking at the description, we can inform some of the CVSS metrics:
+
+- `via malicious .h3m map files`
+ - Attack Vector: Local (`AV:L`)
+- `Exploitation requires the victim to open a malicious map file within the game`
+ - User Interaction: Active (`UI:A`)
+- `arbitrary code execution`
+ - Confidentiality: High (`VC:H`)
+ - Integrity: High (`VI:H`)
+ - Availability: High (`VA:H`)
+
+#### CVE Official CVSS v4.0 Score
+
+VulnCheck: 8.4 High [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N](https://www.first.org/cvss/calculator/4-0#CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N)
\ No newline at end of file
diff --git a/trainingportal/static/lessons/cvss/cvss_2_case_studies.sol.md b/trainingportal/static/lessons/cvss/cvss_2_case_studies.sol.md
new file mode 100644
index 00000000..004655e7
--- /dev/null
+++ b/trainingportal/static/lessons/cvss/cvss_2_case_studies.sol.md
@@ -0,0 +1 @@
+The [User Interaction (UI)](https://www.first.org/cvss/v4-0/specification-document#User-Interaction-UI) metric covers "the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system".
\ No newline at end of file
diff --git a/trainingportal/static/lessons/cvss/cvss_3_score_1.md b/trainingportal/static/lessons/cvss/cvss_3_score_1.md
new file mode 100644
index 00000000..5a77f160
--- /dev/null
+++ b/trainingportal/static/lessons/cvss/cvss_3_score_1.md
@@ -0,0 +1,11 @@
+### Task
+
+Score the following scenario using the CVSS v4.0 calculator [https://www.first.org/cvss/calculator/4-0](https://www.first.org/cvss/calculator/4-0).
+
+
+
+### Scenario
+
+Unauthenticated attacker can list registered users of a SaaS offering.
+
+
diff --git a/trainingportal/static/lessons/cvss/cvss_3_score_1.sol.md b/trainingportal/static/lessons/cvss/cvss_3_score_1.sol.md
new file mode 100644
index 00000000..72db7214
--- /dev/null
+++ b/trainingportal/static/lessons/cvss/cvss_3_score_1.sol.md
@@ -0,0 +1,22 @@
+High-level analysis:
+
+- Prerequisites:
+ - None
+- Impact:
+ - Some limited amount data is exposed
+
+---
+
+CVSS:
+
+- Attack Vector (AV): Network (N)
+- Attack Complexity (AC): Low (L)
+- Attack Requirements (AT): None (N)
+- Privileges Required (PR): None (N)
+- User Interaction (UI): None (N)
+- Vulnerable System Confidentiality (VC): Low (L)
+- Vulnerable System Integrity (VI): None (N)
+- Vulnerable System Availability (VA): None (N)
+- Subsequent System Confidentiality (SC): None (N)
+- Subsequent System Integrity (SI): None (N)
+- Subsequent System Availability (SA): None (N)
\ No newline at end of file
diff --git a/trainingportal/static/lessons/cvss/cvss_4_score_2.md b/trainingportal/static/lessons/cvss/cvss_4_score_2.md
new file mode 100644
index 00000000..b9125ef2
--- /dev/null
+++ b/trainingportal/static/lessons/cvss/cvss_4_score_2.md
@@ -0,0 +1,11 @@
+### Task
+
+Score the following scenario using the CVSS v4.0 calculator [https://www.first.org/cvss/calculator/4-0](https://www.first.org/cvss/calculator/4-0).
+
+
+
+### Scenario
+
+A malicious SaaS user with knowledge of another user’s unique 128-bit userid, can read all the information (e.g. details, activity, messages) for that user through an Authorization bypass in the API.
+
+
diff --git a/trainingportal/static/lessons/cvss/cvss_4_score_2.sol.md b/trainingportal/static/lessons/cvss/cvss_4_score_2.sol.md
new file mode 100644
index 00000000..4bc91ac3
--- /dev/null
+++ b/trainingportal/static/lessons/cvss/cvss_4_score_2.sol.md
@@ -0,0 +1,23 @@
+High-level analysis:
+
+- Prerequisites:
+ - Knowledge of a 128-bit userid of a victim
+ - Valid login session
+- Impact:
+ - Full impact on all information related to the user, including sensitive data
+
+---
+
+CVSS:
+
+- Attack Vector (AV): Network (N)
+- Attack Complexity (AC): High (H)
+- Attack Requirements (AT): None (N)
+- Privileges Required (PR): Low (L)
+- User Interaction (UI): None (N)
+- Vulnerable System Confidentiality (VC): High (H)
+- Vulnerable System Integrity (VI): None (N)
+- Vulnerable System Availability (VA): None (N)
+- Subsequent System Confidentiality (SC): None (N)
+- Subsequent System Integrity (SI): None (N)
+- Subsequent System Availability (SA): None (N)
\ No newline at end of file
diff --git a/trainingportal/static/lessons/cvss/cvss_5_chain.md b/trainingportal/static/lessons/cvss/cvss_5_chain.md
new file mode 100644
index 00000000..de8f840d
--- /dev/null
+++ b/trainingportal/static/lessons/cvss/cvss_5_chain.md
@@ -0,0 +1,38 @@
+### Vulnerability Chaining
+
+The CVSS framework is designed for assessing an individual vulnerability having known the details on exploitability and impact. However, it is sometimes necessary to look into more complex attacks that leverage multiple vulnerabilities into a chain. While the CVSS is not specifically designed for more complex attacks, it does accommodate for scoring a single attack consisting of a vulnerability chain.
+
+
+Vulnerability chaining is covered in the [CVSS User Guide](https://www.first.org/cvss/v4-0/user-guide#Vulnerability-Chaining).
+
+### Task
+
+Score the following scenario using the CVSS v4.0 calculator [https://www.first.org/cvss/calculator/4-0](https://www.first.org/cvss/calculator/4-0).
+
+
+
+### Scenario
+
+This attack scenario consists of the 2 vulnerabilties we saw earlier. Imagine that an attacker is aware and has the ability to execute both of them as necessary to perform an attack.
+
+You can leverage the CVSS vectors of the previous 2 vulnerabilities that we scored.
+
+
+
+#### Vulnerability 1
+
+Unauthenticated attacker can list registered users of a SaaS offering (username and userid).
+
+
+
+#### Vulnerability 2
+
+A malicious SaaS user with knowledge of another user’s unique 128-bit userid, can read all the information (e.g. details, activity, messages) for that user through an Authorization bypass in the API.
+
+
+
+#### Impact
+
+The attacker is now able to read the information for all users.
+
+
diff --git a/trainingportal/static/lessons/cvss/cvss_5_chain.sol.md b/trainingportal/static/lessons/cvss/cvss_5_chain.sol.md
new file mode 100644
index 00000000..7fbb12b9
--- /dev/null
+++ b/trainingportal/static/lessons/cvss/cvss_5_chain.sol.md
@@ -0,0 +1,23 @@
+High-level analysis:
+
+- Prerequisites:
+ - Previous prerequisite of "Knowledge of a 128-bit userid of a victim" is now easily satisfied by Vulnerability 1
+ - Valid login session
+- Impact:
+ - Full impact on all information related to **any** user, including sensitive data
+
+---
+
+CVSS:
+
+- Attack Vector: Network (N)
+- Attack Complexity: Low (L)
+- Attack Requirements: None (N)
+- Privileges Required: Low (L)
+- User Interaction: None (N)
+- Vulnerable System Confidentiality: High (H)
+- Vulnerable System Integrity: None (N)
+- Vulnerable System Availability: None (N)
+- Subsequent System Confidentiality: None (N)
+- Subsequent System Integrity: None (N)
+- Subsequent System Availability: None (N)
\ No newline at end of file
diff --git a/trainingportal/static/lessons/cvss/cvss_6_score_3.md b/trainingportal/static/lessons/cvss/cvss_6_score_3.md
new file mode 100644
index 00000000..659d3e85
--- /dev/null
+++ b/trainingportal/static/lessons/cvss/cvss_6_score_3.md
@@ -0,0 +1,21 @@
+### Task
+
+Score the following scenario using the CVSS v4.0 calculator [https://www.first.org/cvss/calculator/4-0](https://www.first.org/cvss/calculator/4-0).
+
+
+
+### Scenario
+
+The company "PCGamingCompany.insecure.example" offers computer games to its customers. The service offers an easy sign up for new customers.
+
+From a technical standpoint, they have a web client and a desktop client. In order for customers to play games, they have to download the desktop client and log into their account.
+
+
+
+#### Vulnerability
+
+An authenticated attacker can leverage an Authorization bypass in the API and see all the games owned by a particular user.
+
+**Note:** For this example we can assume that userids are easily guessable. This is an issue on its own, but is out of scope for this example.
+
+
\ No newline at end of file
diff --git a/trainingportal/static/lessons/cvss/cvss_6_score_3.sol.md b/trainingportal/static/lessons/cvss/cvss_6_score_3.sol.md
new file mode 100644
index 00000000..b84e46dc
--- /dev/null
+++ b/trainingportal/static/lessons/cvss/cvss_6_score_3.sol.md
@@ -0,0 +1,22 @@
+High-level analysis:
+
+- Prerequisites:
+ - None. Even if from technical point of view the API does require authentication, it is easy for an attacker to obtain a normal account and leverage that. Per the [CVSS Specification](https://www.first.org/cvss/v4-0/specification-document#Privileges-Required-PR): "Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack".
+- Impact:
+ - Some non-sensitive data are exposed
+
+---
+
+CVSS:
+
+- Attack Vector: Network (N)
+- Attack Complexity: Low (L)
+- Attack Requirements: None (N)
+- Privileges Required: None (N)
+- User Interaction: None (N)
+- Vulnerable SystemConfidentiality: Low (L)
+- Vulnerable System Integrity: None (N)
+- Vulnerable System Availability: None (N)
+- Subsequent System Confidentiality: None (N)
+- Subsequent System Integrity: None (N)
+- Subsequent System Availability: None (N)
\ No newline at end of file
diff --git a/trainingportal/static/lessons/cvss/cvss_7_score_4.md b/trainingportal/static/lessons/cvss/cvss_7_score_4.md
new file mode 100644
index 00000000..ac680726
--- /dev/null
+++ b/trainingportal/static/lessons/cvss/cvss_7_score_4.md
@@ -0,0 +1,21 @@
+### Task
+
+Score the following scenario using the CVSS v4.0 calculator [https://www.first.org/cvss/calculator/4-0](https://www.first.org/cvss/calculator/4-0).
+
+
+
+### Scenario
+
+The company "PCGamingCompany.insecure.example" offers computer games to its customers. The service offers an easy sign up for new customers.
+
+From a technical standpoint, they have a web client and a desktop client. In order for customers to play games, they have to download the desktop client and log into their account.
+
+
+
+#### Vulnerability
+
+An authenticated attacker can leverage an Authorization bypass in a development debug API that got into production to read arbitrary files on the filesystem of a victim with installed desktop client.
+
+**Note:** For this example we can assume that userids are easily guessable. This is an issue on its own, but is out of scope for this example.
+
+
\ No newline at end of file
diff --git a/trainingportal/static/lessons/cvss/cvss_7_score_4.sol.md b/trainingportal/static/lessons/cvss/cvss_7_score_4.sol.md
new file mode 100644
index 00000000..4d527346
--- /dev/null
+++ b/trainingportal/static/lessons/cvss/cvss_7_score_4.sol.md
@@ -0,0 +1,23 @@
+High-level analysis:
+
+- Prerequisites:
+ - None. Even if from technical point of view the API does require authentication, it is easy for an attacker to obtain a normal account and leverage that. Per the [CVSS Specification](https://www.first.org/cvss/v4-0/specification-document#Privileges-Required-PR): "Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack".
+- Impact:
+ - There is High impact on Confidentiality as all files on the victim's machine can be read by the attacker.
+ - While the attacker leverages the Vulnerable System (i.e. the Web API), the impact is on a Subsequent System (i.e. the victim's machine), so we have a change of scope and impact on Subsequent System
+
+---
+
+CVSS:
+
+- Attack Vector: Network (N)
+- Attack Complexity: Low (L)
+- Attack Requirements: None (N)
+- Privileges Required: None (N)
+- User Interaction: None (N)
+- Vulnerable System Confidentiality: None (N)
+- Vulnerable System Integrity: None (N)
+- Vulnerable System Availability: None (N)
+- Subsequent System Confidentiality: High (H)
+- Subsequent System Integrity: None (N)
+- Subsequent System Availability: None (N)
diff --git a/trainingportal/static/lessons/cvss/cvss_8_score_5.md b/trainingportal/static/lessons/cvss/cvss_8_score_5.md
new file mode 100644
index 00000000..da307a4c
--- /dev/null
+++ b/trainingportal/static/lessons/cvss/cvss_8_score_5.md
@@ -0,0 +1,19 @@
+### Task
+
+Score the following scenario using the CVSS v4.0 calculator [https://www.first.org/cvss/calculator/4-0](https://www.first.org/cvss/calculator/4-0).
+
+
+
+### Scenario
+
+The company "PCGamingCompany.insecure.example" offers computer games to its customers. The service offers an easy sign up for new customers.
+
+From a technical standpoint, they have a web client and a desktop client. In order for customers to play games, they have to download the desktop client and log into their account.
+
+
+
+#### Vulnerability
+
+An attacker can cause a denial of service impact on the telemetry service by providing specially crafted data. The attacker can maliciously change the filename of a locally available game (installed by the gaming desktop client). The desktop client will then try to report this filename and the telemetry service will crash. As a result, customers won't be able to see their gaming statistics, but will still be able to play normally their games.
+
+
\ No newline at end of file
diff --git a/trainingportal/static/lessons/cvss/cvss_8_score_5.sol.md b/trainingportal/static/lessons/cvss/cvss_8_score_5.sol.md
new file mode 100644
index 00000000..735ff8ec
--- /dev/null
+++ b/trainingportal/static/lessons/cvss/cvss_8_score_5.sol.md
@@ -0,0 +1,24 @@
+High-level analysis:
+
+- Prerequisites:
+ - None.
+ - Even if from technical point of view the API does require authentication, it is easy for an attacker to obtain a normal account and leverage that. Per the [CVSS Specification](https://www.first.org/cvss/v4-0/specification-document#Privileges-Required-PR): "Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack".
+ - Despite the attacker starting from a local system with the desktop client being installed, they are actually targeting the Vulnerable System (the telemetry API) remotely over the network. It is within the attacker's control the sign up and install the desktop client on a machine they control.
+- Impact:
+ - Non-critical service is impacted
+
+---
+
+CVSS:
+
+- Attack Vector: Network (N)
+- Attack Complexity: Low (L)
+- Attack Requirements: None (N)
+- Privileges Required: None (N)
+- User Interaction: None (N)
+- Vulnerable System Confidentiality: None (N)
+- Vulnerable System Integrity: None (N)
+- Vulnerable System Availability: Low (L)
+- Subsequent System Confidentiality: None (N)
+- Subsequent System Integrity: None (N)
+- Subsequent System Availability: None (N)
diff --git a/trainingportal/static/lessons/cvss/cvss_9_score_6.md b/trainingportal/static/lessons/cvss/cvss_9_score_6.md
new file mode 100644
index 00000000..b60a3228
--- /dev/null
+++ b/trainingportal/static/lessons/cvss/cvss_9_score_6.md
@@ -0,0 +1,21 @@
+### Task
+
+Score the following scenario using the CVSS v4.0 calculator [https://www.first.org/cvss/calculator/4-0](https://www.first.org/cvss/calculator/4-0).
+
+
+
+### Scenario
+
+The company "PCGamingCompany.insecure.example" offers computer games to its customers. The service offers an easy sign up for new customers.
+
+From a technical standpoint, they have a web client and a desktop client. In order for customers to play games, they have to download the desktop client and log into their account.
+
+
+
+#### Vulnerability
+
+A Local Privilege Escalation (LPE) vulnerability was identified in the desktop client. A low-privileged attacker on the machine can trick the gaming client into overwriting any file on the filesystem with attacker provided content by preparing a specially crafted symbolic link.
+
+The attack works by leveraging the upgrade process which uses unsecured temporary folder for storing upgrade files. The desktop client will overwrite any file as a privileged user. As a result, the attacker can become a privileged user on the machine.
+
+
\ No newline at end of file
diff --git a/trainingportal/static/lessons/cvss/cvss_9_score_6.sol.md b/trainingportal/static/lessons/cvss/cvss_9_score_6.sol.md
new file mode 100644
index 00000000..7d2d60ec
--- /dev/null
+++ b/trainingportal/static/lessons/cvss/cvss_9_score_6.sol.md
@@ -0,0 +1,26 @@
+High-level analysis:
+
+- Prerequisites:
+ - The attacker needs to have a local access as a low-privileg user on the system they want to gain privileges on
+- Impact:
+ - Complete compromise of the system where the gaming desktop client is installed
+ - **NOTE**: There is no change of scope here from a Vulnerable System to a Subsequent System.
+ - This case is covered in the [CVSS User Guide](https://www.first.org/cvss/v4-0/user-guide#Vulnerable-System-and-Subsequent-System) (PDF reader example).
+ - The gaming desktop client does not have its own local Authorization and Authentication functionality.
+ - However, the product makes the customer insecure as it provides an LPE attack surface.
+
+---
+
+CVSS:
+
+- Attack Vector(AV): Local (L)
+- Attack Complexity (AC): Low (L)
+- Attack Requirements (AT): None (N)
+- Privileges Required (PR): Low (L)
+- User Interaction (UI): None (N)
+- Vulnerable System Confidentiality(VC): High (H)
+- Vulnerable System Integrity (VI): High (H)
+- Vulnerable System Availability (VA): High (H)
+- Subsequent System Confidentiality (SC): None (N)
+- Subsequent System Integrity (SI): None (N)
+- Subsequent System Availability (SA): None (N)
\ No newline at end of file
diff --git a/trainingportal/static/lessons/cvss/cvss_intro.md b/trainingportal/static/lessons/cvss/cvss_intro.md
deleted file mode 100644
index 1c63d5bb..00000000
--- a/trainingportal/static/lessons/cvss/cvss_intro.md
+++ /dev/null
@@ -1,5 +0,0 @@
-#### Agreeing on vulnerability severity
-
-The Common Vulnerability Scoring System (CVSS) is how we agree on vulnerability severity.
-
-We need to agree on severity so we may prioritize investing our time and effort where it matters most.
\ No newline at end of file
diff --git a/trainingportal/static/lessons/cvss/cvss_intro.sol.md b/trainingportal/static/lessons/cvss/cvss_intro.sol.md
deleted file mode 100644
index e69de29b..00000000
diff --git a/trainingportal/static/lessons/cvss/definitions.json b/trainingportal/static/lessons/cvss/definitions.json
index f705b47d..ab53d6af 100644
--- a/trainingportal/static/lessons/cvss/definitions.json
+++ b/trainingportal/static/lessons/cvss/definitions.json
@@ -1,34 +1,125 @@
[
{
"level":0,
- "name":"Vulnerability Investigator",
+ "name":"CVSS",
"challenges":[
{
- "id":"cvss_intro",
- "name":"About CVSS",
- "description": "cvss_intro.md",
- "solution": "cvss_intro.sol.md",
+ "id":"cvss_1_intro",
+ "name":"Introduction",
+ "description": "cvss_1_intro.md",
+ "solution": "cvss_1_intro.sol.md",
"type":"quiz",
- "mission":"Choose the correct option",
+ "mission":"Which organization is responsible for the CVSS specification?",
"options":[
{
- "display":"Confidentiality: High, Integrity: High, Availability: High",
- "value":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
+ "display":"FIRST - Forum of Incident Response and Security Teams (https://www.first.org/)",
+ "value":"1"
},
{
- "display":"Confidentiality: High, Integrity: High, Availability: None",
- "value":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"
+ "display":"NVD - National Vulnerability Database (https://nvd.nist.gov/)",
+ "value":"2"
},
{
- "display":"Confidentiality: High, Integrity: None, Availability: None",
- "value":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"
+ "display":"OWASP - Open Worldwide Application Security Project (https://owasp.org/)",
+ "value":"3"
+ }
+ ],
+ "answer":"1",
+ "codeBlockIds":[]
+ },
+ {
+ "id":"cvss_2_case_studies",
+ "name":"Case Studies",
+ "description": "cvss_2_case_studies.md",
+ "solution": "cvss_2_case_studies.sol.md",
+ "type":"quiz",
+ "mission":"Which CVSS metric covers the following exploitation prerequisite: \"Attacker needs to trick a victim into ...\"",
+ "options":[
+ {
+ "display": "Attack Vector (AV)",
+ "value":"1"
+ },
+ {
+ "display":"Attack Complexity (AC)",
+ "value":"2"
},
{
- "display":"Confidentiality: None, Integrity: None, Availability: None",
- "value":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N"
+ "display":"Attack Requirements (AT)",
+ "value":"3"
+ },
+ {
+ "display":"Privileges Required (PR)",
+ "value":"4"
+ },
+ {
+ "display":"User Interaction (UI)",
+ "value":"5"
}
],
- "answer":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
+ "answer":"5",
+ "codeBlockIds":[]
+ },
+ {
+ "id":"cvss_3_score_1",
+ "name":"Score Vulnerability 1",
+ "description": "cvss_3_score_1.md",
+ "solution": "cvss_3_score_1.sol.md",
+ "type":"quiz",
+ "mission":"Enter the CVSS v4 string (Base Score)",
+ "codeBlockIds":[]
+ },
+ {
+ "id":"cvss_4_score_2",
+ "name":"Score Vulnerability 2",
+ "description": "cvss_4_score_2.md",
+ "solution": "cvss_4_score_2.sol.md",
+ "type":"quiz",
+ "mission":"Enter the CVSS v4 string (Base Score)",
+ "codeBlockIds":[]
+ },
+ {
+ "id":"cvss_5_chain",
+ "name":"Chaining Vulnerabilities",
+ "description": "cvss_5_chain.md",
+ "solution": "cvss_5_chain.sol.md",
+ "type":"quiz",
+ "mission":"Enter the CVSS v4 string (Base Score)",
+ "codeBlockIds":[]
+ },
+ {
+ "id":"cvss_6_score_3",
+ "name":"Score Vulnerability 3",
+ "description": "cvss_6_score_3.md",
+ "solution": "cvss_6_score_3.sol.md",
+ "type":"quiz",
+ "mission":"Enter the CVSS v4 string (Base Score)",
+ "codeBlockIds":[]
+ },
+ {
+ "id":"cvss_7_score_4",
+ "name":"Score Vulnerability 4",
+ "description": "cvss_7_score_4.md",
+ "solution": "cvss_7_score_4.sol.md",
+ "type":"quiz",
+ "mission":"Enter the CVSS v4 string (Base Score)",
+ "codeBlockIds":[]
+ },
+ {
+ "id":"cvss_8_score_5",
+ "name":"Score Vulnerability 5",
+ "description": "cvss_8_score_5.md",
+ "solution": "cvss_8_score_5.sol.md",
+ "type":"quiz",
+ "mission":"Enter the CVSS v4 string (Base Score)",
+ "codeBlockIds":[]
+ },
+ {
+ "id":"cvss_9_score_6",
+ "name":"Score Vulnerability 6",
+ "description": "cvss_9_score_6.md",
+ "solution": "cvss_9_score_6.sol.md",
+ "type":"quiz",
+ "mission":"Enter the CVSS v4 string (Base Score)",
"codeBlockIds":[]
}
]
diff --git a/trainingportal/util.js b/trainingportal/util.js
index 737a11db..41056b37 100644
--- a/trainingportal/util.js
+++ b/trainingportal/util.js
@@ -105,6 +105,9 @@ exports.parseMarkdown = (text) => {
let html = markdown.toHTML(text);
//made code tag non bindable by angular
html = html.replace(/`
+ html = html.replace(/<br>/g,"
");
return html
}