The following issues are not vulnerabilities:
1. Bugs that do not involve security issues. Including but not limited to product functional defects, garbled web pages, confusing styles, static file directory traversal, application compatibility and other issues.
2. Vulnerabilities that cannot be exploited. CSRF without sensitive operations, meaningless abnormal information leakage, intranet IP address/domain name leakage.
3. Other problems that cannot directly reflect the existence of vulnerabilities. Including, but not limited to, issues that are pure guesswork.
Low Risk Vulnerabilities:
1. Vulnerabilities that can have certain impact but cannot directly obtain device permissions and affect data security, such as: non-important information disclosure, URL redirection, difficult-to-use XSS security vulnerabilities, common CSRF vulnerabilities.
2. Ordinary unauthorized operation. Including but not limited to incorrect direct object references.
3. Common logic design flaws. Including but not limited to SMS verification code bypass, email verification bypass.
Medium Risk Vulnerabilities:
1. The vulnerability of directly obtaining user identity information. Including but not limited to stored XSS vulnerabilities;
2. Arbitrary text operation loopholes. Including but not limited to any file reading, writing, deleting, downloading and other operations;
3. Unauthorized access. Including, but not limited to modifying user data, and performing user operations by circumventing restrictions;
High Risk Vulnerabilities:
1. Vulnerability of directly obtaining business server permissions. Including but not limited to arbitrary command execution, uploading webshell, arbitrary code execution, command injection, remote command execution;
2. Logical loopholes that have direct and serious impacts. Including but not limited to any account password change vulnerability;
3. Vulnerabilities that can directly steal user identity information in batches. Including but not limited to SQL injection;
4. Unauthorized access. Including but not limited to bypassing authentication to directly access the administrator back end, and weak passwords in the back end.
Critical Risk Vulnerabilities:
1. Direct access to core system permissions. Vulnerabilities that can directly endanger the intranet, including but not limited to: command execution, remote overflow and other vulnerabilities;
2. Vulnerabilities that can obtain a large number of core user data;
3. Logical loopholes that have direct and serious impacts. Vulnerabilities include but are not limited to: serious logic errors, loopholes that can obtain a large amount of benefits and cause losses to companies and users.