Microsoft Vulnerability Severity Classification for Online Services
Our commitment to protecting customers from vulnerabilities in our software, services, and devices includes providing security updates and guidance that address those vulnerabilities when they are reported to Microsoft. We want to be transparent with our customers and security researchers in our approach. The following table describes the Microsoft data classification and severity for common vulnerability types for online services or web applications. It is derived from the Microsoft Security Response Center (MSRC) advisory rating. The MSRC uses this information to triage bugs and determine severity. To provide the best protection for our customers, we always prioritize fixing important and critical severity issues.
Data classification in the context of this document pertains to the data hosted on or by the service and its exposure through the identified vulnerability. The severity of the vulnerability is determined by the impact of the data that could be accessed. In addition, the ease of exploitation is also considered during severity assessment.
| Vulnerability Type | Data Classification | Severity | Example (For reference only) |
|---|---|---|---|
| Cross Site Scripting (XSS) |
Highly Confidential
|
Critical
|
XSS that can compromise user session tokens or sensitive cookies with no victim interaction or actions required
|
|
Confidential
|
Important
|
XSS that can compromise user session tokens or sensitive cookies
|
|
|
General
|
Moderate
|
XSS triggering on public pages that does not disclose private data or allow the compromise of an authenticated session
|
|
|
Public
|
Low
|
XSS requiring a victim to input the malicious code themselves
|
|
| Authentication Issues |
Highly Confidential
|
Critical
|
Vulnerability allowing attacker to authenticate as another highly privileged user or cross tenant without victim’s interaction
|
|
Confidential
|
Important
|
Vulnerability allowing authenticated attacker within a tenant to elevate their privilege
|
|
|
General
|
N/A
|
Read only access to a web directory that should be authenticated, like a directory that contains generic images for an internal only site, but no sensitive information is obtainable
|
|
|
Public
|
|||
| Improper Access Control |
Highly Confidential
|
Critical
|
Missing access controls exposes sensitive data from another customer
|
|
Confidential
|
Important
|
An unprivileged user accessing data intended for privileged user
|
|
|
General
|
Moderate
|
An unprivileged user viewing non-sensitive data without permission
|
|
|
Public
|
Low
|
An unprivileged user viewing non-sensitive data that’s not intended to be public
|
|
|
(SQL injection and Command injection) |
Highly Confidential
|
Critical
|
Injection leading to elevation of privilege to a different tenant
|
|
Confidential
|
Important
|
Injection leading to elevation of privilege in the same tenant
|
|
|
General
|
|||
|
Public
|
Moderate
|
Blind SQL Injection with no sensitive information disclosed
|
|
| Cross-Site Request Forgery (CSRF) |
Highly Confidential
|
Critical
|
CSRF vulnerability performing highly privileged administrative action, like allowing account credential reset on any user in an Azure service
|
|
Confidential
|
Important
|
CSRF vulnerability resulting in the change of a user’s email address and subsequent account takeover
|
|
|
General
|
Moderate
|
CSRF vulnerability allowing a minor change to an users account, like adding a personal note to a user’s account
|
|
|
Public
|
Low
|
A CSRF vulnerability on an unauthenticated form
|
|
| Server-Side Request Forgery (SSRF) |
Highly Confidential
|
Critical
|
Cross tenant information disclosure or elevation of privilege after reaching internal servers
|
|
Confidential
|
Important
|
SSRF vulnerability sending requests to sensitive internal endpoints that leaks sensitive information or performs a sensitive action
|
|
|
General
|
Moderate
|
Blind SSRF reaching ports that should not be open
|
|
|
Public
|
Low
|
Blind SSRF that is only used for port scanning
|
|
| Deserialization of Untrusted Data |
Highly Confidential
|
Critical
|
Deserialization leading to unauthenticated cross tenant remote code execution
|
|
Confidential
|
Important
|
Deserialization leading to compromise of a system that processes data belonging to the current user
|
|
|
General
|
Moderate
|
Deserialization leading to Server Denial of Service
|
|
|
Public
|
Low
|
Deserialization triggering only an HTTP 500 error with no other impact to the system
|
|
| Web Security Misconfiguration |
Highly Confidential
|
Critical
|
Default admin credentials that access an important resource
|
|
Confidential
|
Important
|
URL redirect in an OAuth flow that leaks the OAuth token
|
|
|
General
|
Low
|
Clickjacking due to lack of the X-FRAME-OPTIONS response header or lack of frame-ancestors in a CSP
|
|
|
Public
|
Low
|
Missing length check on web app form leading to denial of service for the user, requiring them to refresh the page
|
|
| Cross Origin Access Issues |
Highly Confidential
|
Critical
|
Improper CORS (trusted origin) validation leading to disclosure of tokens with excessive permissions
|
|
Confidential
|
Important
|
Improper CORS (trusted origin) validation
|
|
|
General
|
Moderate
|
Access-Control-Allow-Origin header in response reflecting any value put in Origin header in the request, along with Access-Control-Allow-Credentials being set to true
|
|
|
Public
|
Low
|
Access-Control-Allow-Origin header in the response has been set to ‘*’ with no additional exploitation
|
|
| Improper Input Validation |
Highly Confidential
|
Critical
|
Tampering with request parameters affects the application’s logic and allows for cross tenant information exposure, privilege escalation
|
|
Confidential
|
Important
|
Changing a parameter’s value affects the application’s logic, resulting in an exposure of sensitive information or allows the user to perform a sensitive action
|
|
|
General
|
Moderate
|
Tampering with input parameters that can only cause visual cosmetic changes to the user interface
|
|
|
Public
|
Low
|
Modifying input parameters that make the user interface difficult to use
|
Serverity Example for User Enumeration:
- Important Severity: If the target had no rate limitation or no logging.
- Moderate Severity: Username and/or email address leak via external API.
Microsoft recognizes that this list may not incorporate all online service vulnerability types and new vulnerabilities that may be discovered at any time. Some denial of service vulnerabilities that require low attacker resources may be serviced after a case-by-case evaluation. We reserve the right to classify any vulnerabilities that are not covered by this document at our discretion.
Data Classification
The following table outlines Microsoft’s general data classification guidelines. There may be exceptions and modifications made on a case-by-case basis at our discretion.
| Data Classification | Description | Examples |
|---|---|---|
| Highly Confidential |
The most critical data owned, used, and managed by the business. This very sensitive data requires the strictest protection available. Inappropriate disclosure, modification, or destruction of this data would result in significant business harm to the business or its shareholders, partners, or customers.
|
|
| Confidential |
Sensitive business data owned, used, and managed by the business. Inappropriate disclosure, modification, or destruction of this data would result in moderate business harm to the business or its shareholders, partners, or customers.
|
|
| General |
Business data that is not meant for public consumption.
|
|
| Public |
Data designed for public consumption.
|
|