Vulnerability Assessment-Positec Security Center

Critical security issues:

Remote access to the system privileges of the vulnerability (server-side privileges, client-side privileges) of the privileges. Including but not limited to: command injection, remote command execution, uploading to obtain WebShell, SQL injection to obtain system privileges, remote kernel code execution vulnerabilities, and other remote code execution vulnerabilities due to logical problems.
Serious level of information leakage. Including, but not limited to, obtaining a large amount of sensitive information data plural groups or a large amount of important database information through SQL injection, interface overstepping and other ways.
Serious logical design flaws. Including, but not limited to, serious problems with arbitrary account logins and arbitrary account password changes in critical business systems.

High-risk security issues:

Remote access to the system non-privileged privileges of the vulnerability. Including but not limited to remote command execution, arbitrary code execution and other vulnerabilities,vulnerabilities due to logical problems.
Remote override access to sensitive information vulnerability. Sensitive information includes, but is not limited to, data that can only be accessed by locally installed applications after requesting and obtaining permission, or data that is restricted to privileged processes.
Remote overstepping operation vulnerability. Including, but not limited to, remote bypassing the need for user-initiated or obtain user permission before the use of functional restrictions, the vulnerability of overstepping sensitive operations.
Vulnerabilities that can directly steal user identity information. Including key pages of stored XSS vulnerabilities, general site SQL injection vulnerabilities.
Remote overstepping operation vulnerability. Including, but not limited to, remote bypassing the need for user-initiated or obtain user permission before the use of functional restrictions, the vulnerability of overstepping sensitive operations.
Local access to system privileged access vulnerabilities. Including but not limited to local privilege elevation vulnerabilities.
Permission bypass vulnerabilities. This includes, but is not limited to, full bypass of kernel-level protections or exploiting vulnerabilities in mitigation techniques, local bypass of user-specific functionality requirements to restrict modifications to any developer or to any security settings, and full bypass of application-isolated operating system protections.

Medium-risk security issues:

Permission bypass vulnerabilities. This includes, but is not limited to, full bypass of kernel-level protections or exploiting vulnerabilities in mitigation techniques, local bypass of user-specific functionality requirements to restrict modifications to any developer or to any security settings, and full bypass of application-isolated operating system protections.

Local overstepping operation vulnerabilities. Including, but not limited to, local bypassing the need for user-initiated or obtain user permission before the use of functional restrictions, the vulnerability of overstepping sensitive operations.

Privilege bypass vulnerabilities. Including, but not limited to, comprehensive and in-depth bypassing the user-level protection function, or in the privileged process to take advantage of the vulnerability of the existence of mitigation techniques, bypassing the device protection function/restore the factory settings protection function vulnerability.

Remote override access to common information vulnerability. Common information includes, but is not limited to, data that is normally accessible to all locally installed applications.

Sensitive information leakage. Including, but not limited to, obtaining important keys, passwords, Secret and other available data in the system through reverse, network hijacking, source code and other means.

Low-risk security issues:

Local override vulnerabilities. Including, but not limited to, without user interaction, call the system's hidden functions, the user's use of the vulnerability caused by the actual difficulties or actual damage occurred.

The following issues are not included:

Bugs that do not involve security issues, including but not limited to product functionality defects, web page garbage, style confusion, static file directory traversal, application compatibility and other issues.

Unexploitable vulnerabilities. CSRF without sensitive operations, meaningless leakage of anomalous information, leakage of intranet IP address/domain name.

Other issues that do not directly reflect the existence of vulnerabilities. Including, but not limited to, purely user speculation.