CVSS Scoring

The Common Vulnerability Scoring System (CVSS) is an industry benchmark for evaluating the seriousness of identified vulnerabilities. It calculates a CVSS score by considering three metric categories (base, temporal, and environmental) encompassing various aspects of a vulnerability's impact and ability to persist in different contexts.

PlexTrac allows users to input or adjust scores when generating or revising findings, facilitating precise vulnerability assessment.

CVSS is owned by FIRST and used with permission. This calculator is based on .

Entering a Findings Score

Step 1: From the Findings tab, click Edit under the "Actions" column of the finding to modify.

Step 3: Enter values in the provided fields.

The score information for that finding is now displayed on the Finding Detail page.

CVSS v3.1/v4.0 Calculator

PlexTrac has a built-in calculator that generates a CVSS score based on selected input values. It also generates a CVSS vector and assigns severity to a finding based on the information selected and calculated score.

Users can create a value by clicking through the provided calculator, typing in a vector, or combining both actions.

The calculator is available when CVSS v3.1 or CVSS v4.0 is selected from the "Score type" field.

If the value in the Severity field is manually changed at any point after a CVSSv3.1 score has been created, a warning message will appear:

Entering a Score Manually

If the score is already known, it can be entered in the "Score" field, and the finding's severity will update to match the score.

Entering a Vector Manually

If the CVSS vector is known, entering the value in the "Vectore" field will dynamically set the finding severity.

Using the Calculator

Step 1: In the "Score type" field, select CVSS v3.1 or CVSS v4.0, then click Calculate Score.

Step 2: To create a vector, select values by clicking the fields provided. All values must be entered.

The metrics available to configure differ depending on the score type selected.

After entering a value for all fields, a severity score, severity value, and vector value are populated.

Validation is performed on multiple fields to ensure accurate score and severity using vector string and record, which must be kept in sync.

The calculator updates the vector record string when a field is clicked. However, the string is displayed only when all base values are selected. The option to save will appear afterward.

When the vector string has changed, the string is then validated. If the string is valid, the record and selected values are updated in the calculator modal. If not, a warning message is displayed, and the save button is disabled.

Step 3: For more advanced scoring options, expand "Show temporal and environmental scoring."

Additional fields specific to the score type will be displayed for editing.

Step 5: When finished, scroll to the bottom of the modal and click Save. The severity, score, and vector are populated in the appropriate fields on the Findings Details tab.

CVSS 3.1 scores can also be viewed on the Findings tab of a report or client if that field has been configured to appear in the table.