This is the Trace Id: 48d661f9befa28a413b339a4258b6e80
Skip to main content
MSRC

Microsoft Vulnerability Severity Classification for Online Services


Our commitment to protecting customers from vulnerabilities in our software, services, and devices includes providing security updates and guidance that address those vulnerabilities when they are reported to Microsoft. We want to be transparent with our customers and security researchers in our approach. The following table describes the Microsoft data classification and severity for common vulnerability types for online services or web applications. It is derived from the Microsoft Security Response Center (MSRC) advisory rating. The MSRC uses this information to triage bugs and determine severity. To provide the best protection for our customers, we always prioritize fixing important and critical severity issues.

Data classification in the context of this document pertains to the data hosted on or by the service and its exposure through the identified vulnerability. The severity of the vulnerability is determined by the impact of the data that could be accessed. In addition, the ease of exploitation is also considered during severity assessment.  

Microsoft Vulnerability Severity Classification for Online Services

Vulnerability Type Data Classification Severity Example (For reference only)
Cross Site Scripting (XSS)
Highly Confidential
Critical
XSS that can compromise user session tokens or sensitive cookies with no victim interaction or actions required
 
Confidential
Important
XSS that can compromise user session tokens or sensitive cookies
 
General
Moderate
XSS triggering on public pages that does not disclose private data or allow the compromise of an authenticated session
 
Public
Low
XSS requiring a victim to input the malicious code themselves
Authentication Issues
Highly Confidential
Critical
Vulnerability allowing attacker to authenticate as another highly privileged user or cross tenant without victim’s interaction
 
Confidential
Important
Vulnerability allowing authenticated attacker within a tenant to elevate their privilege
 
General
N/A
Read only access to a web directory that should be authenticated, like a directory that contains generic images for an internal only site, but no sensitive information is obtainable
 
Public
Improper Access Control
Highly Confidential
Critical
Missing access controls exposes sensitive data from another customer
 
Confidential
Important
An unprivileged user accessing data intended for privileged user
 
General
Moderate
An unprivileged user viewing non-sensitive data without permission
 
Public
Low
An unprivileged user viewing non-sensitive data that’s not intended to be public

Injection

(SQL injection and Command injection)

Highly Confidential
Critical
Injection leading to elevation of privilege to a different tenant
 
Confidential
Important
Injection leading to elevation of privilege in the same tenant
 
General
 
Public
Moderate
Blind SQL Injection with no sensitive information disclosed
Cross-Site Request Forgery (CSRF)
Highly Confidential
Critical
CSRF vulnerability performing highly privileged administrative action, like allowing account credential reset on any user in an Azure service
 
Confidential
Important
CSRF vulnerability resulting in the change of a user’s email address and subsequent account takeover
 
General
Moderate
CSRF vulnerability allowing a minor change to an users account, like adding a personal note to a user’s account
 
Public
Low
A CSRF vulnerability on an unauthenticated form
Server-Side Request Forgery (SSRF)
Highly Confidential
Critical
Cross tenant information disclosure or elevation of privilege after reaching internal servers
 
Confidential
Important
SSRF vulnerability sending requests to sensitive internal endpoints that leaks sensitive information or performs a sensitive action
 
General
Moderate
Blind SSRF reaching ports that should not be open
 
Public
Low
Blind SSRF that is only used for port scanning
Deserialization of Untrusted Data
Highly Confidential
Critical
Deserialization leading to unauthenticated cross tenant remote code execution
 
Confidential
Important
Deserialization leading to compromise of a system that processes data belonging to the current user
 
General
Moderate
Deserialization leading to Server Denial of Service
 
Public
Low
Deserialization triggering only an HTTP 500 error with no other impact to the system
Web Security Misconfiguration
Highly Confidential
Critical
Default admin credentials that access an important resource
 
Confidential
Important
URL redirect in an OAuth flow that leaks the OAuth token
 
General
Low
Clickjacking due to lack of the X-FRAME-OPTIONS response header or lack of frame-ancestors in a CSP
 
Public
Low
Missing length check on web app form leading to denial of service for the user, requiring them to refresh the page
Cross Origin Access Issues
Highly Confidential
Critical
Improper CORS (trusted origin) validation leading to disclosure of tokens with excessive permissions
 
Confidential
Important
Improper CORS (trusted origin) validation
 
General
Moderate
Access-Control-Allow-Origin header in response reflecting any value put in Origin header in the request, along with Access-Control-Allow-Credentials being set to true
 
Public
Low
Access-Control-Allow-Origin header in the response has been set to ‘*’ with no additional exploitation
Improper Input Validation
Highly Confidential
Critical
Tampering with request parameters affects the application’s logic and allows for cross tenant information exposure, privilege escalation
 
Confidential
Important
Changing a parameter’s value affects the application’s logic, resulting in an exposure of sensitive information or allows the user to perform a sensitive action
 
General
Moderate
Tampering with input parameters that can only cause visual cosmetic changes to the user interface
 
Public
Low
Modifying input parameters that make the user interface difficult to use

Serverity Example for User Enumeration:

  • Important Severity: If the target had no rate limitation or no logging. 
  • Moderate Severity: Username and/or email address leak via external API. 

Microsoft recognizes that this list may not incorporate all online service vulnerability types and new vulnerabilities that may be discovered at any time. Some denial of service vulnerabilities that require low attacker resources may be serviced after a case-by-case evaluation. We reserve the right to classify any vulnerabilities that are not covered by this document at our discretion.

 

 

Data Classification

The following table outlines Microsoft’s general data classification guidelines. There may be exceptions and modifications made on a case-by-case basis at our discretion.

 

Data Classification Description Examples
Highly Confidential
The most critical data owned, used, and managed by the business. This very sensitive data requires the strictest protection available. Inappropriate disclosure, modification, or destruction of this data would result in significant business harm to the business or its shareholders, partners, or customers.
  • Payment data
  • Customer data
  • Future or active sales and marketing plans
  • Software tokens
Confidential
Sensitive business data owned, used, and managed by the business. Inappropriate disclosure, modification, or destruction of this data would result in moderate business harm to the business or its shareholders, partners, or customers.
  • Confidential source code
  • Media product features and release schedule
  • Business account data
General
Business data that is not meant for public consumption.
  • Zip code (not associated with an individual)
  • Media assets that can be viewed by anyone under NDA.    
  • Real-time-geo-location data
Public
Data designed for public consumption.
  • Open source code
  • Announced financial reports
  • Approved public video