v1.11

bugcrowd · Nov 14, 2023 · 6f6bde3 · 6f6bde3
1 parent 3222464
commit 6f6bde3
Show file tree

Hide file tree

Showing 2 changed files with 67 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -10,6 +10,72 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/) and this p
 
 ### Changed
 
+## [v1.11](https://github.com/bugcrowd/vulnerability-rating-taxonomy/compare/v1.10...v1.11) - 2023-11-20
+### Added
+- Sensitive Data Exposure - Disclosure of Secrets - PII Leakage/Exposure: VARIES
+- Sensitive Data Exposure - Disclosure of Secrets - Sensitive data Leakage/Exposure: P1
+- Server-Side Injection - Content Spoofing - HTML Content Injection: P5
+- Broken Authentication and Session Management - Failure to invalidate session - Permission change: VARIES
+- Server Security Misconfiguration - Request Smuggling: VARIES
+- Cryptographic Weakness - Insufficient Entropy - Limited Random Number Generator (RNG) Entropy Source: P4
+- Cryptographic Weakness - Insufficient_Entropy - Use of True Random Number Generator (TRNG) for Non-Security Purpose: P5
+- Cryptographic Weakness - Insufficient_Entropy - Pseudo-Random Number Generator (PRNG) Seed Reuse: P5
+- Cryptographic Weakness - Insufficient_Entropy - Predictable Pseudo-Random Number Generator (PRNG) Seed: P4 
+- Cryptographic Weakness - Insufficient_Entropy - Small Seed Space in Pseudo-Random Number Generator (PRNG): P4
+- Cryptographic Weakness - Insufficient_Entropy - Initialization Vector (IV) Reuse: P5
+- Cryptographic Weakness - Insufficient_Entropy - Predictable Initialization Vector (IV): P4
+- Cryptographic Weakness - Insecure Implementation - Missing Cryptographic Step: VARIES
+- Cryptographic Weakness - Insecure Implementation - Improper Following of Specification (Other): VARIES
+- Cryptographic Weakness - Weak Hash - Lack of Salt: VARIES
+- Cryptographic Weakness - Weak Hash - Use of Predictable Salt: P5
+- Cryptographic Weakness - Weak Hash - Predictable Hash Collision: VARIES
+- Cryptographic Weakness - Insufficient Verification of Data Authenticity - Integrity Check Value (ICV): P4
+- Cryptographic Weakness - Insufficient Verification of Data Authenticity - Cryptographic Signature: VARIES
+- Cryptographic Weakness - Insecure Key Generation - Improper Asymmetric Prime Selection: VARIES
+- Cryptographic Weakness - Insecure Key Generation - Improper Asymmetric Exponent Selection: VARIES
+- Cryptographic Weakness - Insecure Key Generation - Insufficient Key Stretching: VARIES
+- Cryptographic Weakness - Insecure Key Generation - Insufficient Key Space: P3
+- Cryptographic Weakness - Insecure Key Generation - Key Exchage Without Entity Authentication: P3
+- Cryptographic Weakness - Key Reuse - Lack of Perfect Forward Secrecy: P4
+- Cryptographic Weakness - Key Reuse - Intra-Environment: P5
+- Cryptographic Weakness - Key Reuse - Inter-Environment: P2
+- Cryptographic Weakness - Side-Channel Attack - Padding Oracle Attack: P4
+- Cryptographic Weakness - Side-Channel Attack - Timing Attack: P4
+- Cryptographic Weakness - Side-Channel Attack - Power Analysis Attack: P5
+- Cryptographic Weakness - Side-Channel Attack - Emanations Attack: P5
+- Cryptographic Weakness - Side-Channel Attack - Differential Fault Analysis: VARIES
+- Cryptographic Weakness - Use of Expired Cryptographic Key (or Certificate): P4
+- Cryptographic Weakness - Incomplete Cleanup of Keying Material: P5
+- Cryptographic Weakness - Broken Cryptography - Use of Broken Cryptographic Primitive: P3
+- Cryptographic Weakness - Broken Cryptography - Use of Vulnerable Cryptographic Library: P4
+- Broken Access Control (BAC) - Insecure Direct Object References (IDOR) - Manipulate Non-Sensitive Information: P5
+- Broken Access Control (BAC) - Insecure Direct Object References (IDOR) - Manipulate Sensitive Information | GUID/Complex Object Identifiers: P4
+- Broken Access Control (BAC) - Insecure Direct Object References (IDOR) - Read Sensitive Information | Iteratable Object Identifiers: P3
+- Broken Access Control (BAC) - Insecure Direct Object References (IDOR) - Alter Sensitive Information | Iteratable Object Identifiers: P2
+- Broken Access Control (BAC) - Insecure Direct Object References (IDOR) - Read Sensitive Information (PII) | Iteratable Object Identifiers: P1
+
+### Changed
+FROM: 
+- Cross-Site Scripting (XSS) - IE-Only - Older Version (< IE11): P5
+TO: 
+- Cross-Site Scripting (XSS) - IE-Only: P5
+
+- FROM:
+- Broken Access Control (BAC) - Server-Side Request Forgery (SSRF) - Internal High Impact: P2
+- Broken Access Control (BAC) - Server-Side Request Forgery (SSRF) - Internal Scan and/or Medium Impact: P3
+- Broken Access Control (BAC) - Server-Side Request Forgery (SSRF) - External: P4
+- Broken Access Control (BAC) - Server-Side Request Forgery (SSRF) - DNS Query Only : P5
+TO:
+- Server Security Misconfiguration - Server-Side Request Forgery (SSRF) - Internal High Impact: P2
+- Server Security Misconfiguration - Server-Side Request Forgery (SSRF) - Internal Scan and/or Medium Impact: P3
+- Server Security Misconfiguration - Server-Side Request Forgery (SSRF) - External - Low impact: P5
+- Server Security Misconfiguration - Server-Side Request Forgery (SSRF) - External - DNS Query Only: P5
+
+### Removed
+- Cross-Site Scripting (XSS) - IE-Only - IE11: P4
+- Broken Cryptography - Cryptographic Flaw - Incorrect Usage: P1
+- Automotive Security Misconfiguration - Infotainment, Radio Head Unit - PII Leakage: P1
+
 ## [v1.10.1](https://github.com/bugcrowd/vulnerability-rating-taxonomy/compare/v1.10...v1.10.1) - 2021-03-29
 ### Changed
 - renamed `secure code warriors` mapping to `secure code warrior`

diff --git a/vulnerability-rating-taxonomy.json b/vulnerability-rating-taxonomy.json
@@ -1,6 +1,6 @@
 {
   "metadata": {
-    "release_date": "2021-03-29T00:00:00+00:00"
+    "release_date": "2023-20-11T00:00:00+00:00"
   },
   "content": [
     {