The tester was able to inject JavaScript into the URL parameter, and the browser executed the script:
- AV:N: The hacker will connect through a network to execute the attack.
- AC:L: The complexity is very low; the hacker tested the JavaScript on all browsers, and it worked.
- PR:N: No privilege is required.
- UI:N: The victim needs to click on a link through a social engineering attack.
- S:C: The scope is not the web server only; the victim browser is impacted, as well.
- C:L: Since the HttpOnly flag is set, the confidentiality impact is low, because the attacker has not accessed sufficient cookie data to hijack the victim's session.
- I:L: The hacker can probably change the data only in the victim's browser context.
- A:N: The hacker will not be able to impact the availability of the server.