From 50d1d5e97c15d5e81dbb277475fa64ba91f27b68 Mon Sep 17 00:00:00 2001
From: paul-ion <pentesq@gmail.com>
Date: Thu, 7 Aug 2025 21:18:31 +0000
Subject: [PATCH 01/21] Add option answer type and cvss module stub

---
 trainingportal/challenges.js                  | 15 +++++---
 trainingportal/qna.js                         |  7 +++-
 trainingportal/static/challenges.html         | 26 ++++++++++----
 trainingportal/static/challengesCtrl.js       | 30 ++++++++++++++++
 .../static/lessons/cvss/cvss_intro.md         |  5 +++
 .../static/lessons/cvss/cvss_intro.sol.md     |  0
 .../static/lessons/cvss/definitions.json      | 36 +++++++++++++++++++
 trainingportal/static/lessons/modules.json    | 13 +++++++
 trainingportal/static/submitCode.html         | 13 +++----
 trainingportal/static/submitCodeCtrl.js       | 19 ++++++++--
 trainingportal/test/qna.test.js               |  2 +-
 11 files changed, 143 insertions(+), 23 deletions(-)
 create mode 100644 trainingportal/static/lessons/cvss/cvss_intro.md
 create mode 100644 trainingportal/static/lessons/cvss/cvss_intro.sol.md
 create mode 100644 trainingportal/static/lessons/cvss/definitions.json

diff --git a/trainingportal/challenges.js b/trainingportal/challenges.js
index 2e17588a..f09ad489 100644
--- a/trainingportal/challenges.js
+++ b/trainingportal/challenges.js
@@ -84,7 +84,6 @@ let init = async () => {
         let moduleDefinitions = getDefinitionsForModule(moduleId);
         var modulePath = getModulePath(moduleId);
         for(let level of moduleDefinitions){
-            challengeDefinitions.push(level);
             for(let challenge of level.challenges){
                 if(!util.isNullOrUndefined(challengeNames[challenge.id])){
                     throw new Error(`Duplicate challenge id: '${challenge.id}'!`);
@@ -206,6 +205,7 @@ let getChallengeDefinitions = async (moduleId) => {
     
     if(util.isNullOrUndefined(moduleId)) return [];    
     if(util.isNullOrUndefined(modules[moduleId])) return [];
+    if(!util.isNullOrUndefined(challengeDefinitions[moduleId])) return challengeDefinitions[moduleId];
 
     var modulePath = getModulePath(moduleId);
     var moduleDefinitions = getDefinitionsForModule(moduleId);
@@ -224,12 +224,17 @@ let getChallengeDefinitions = async (moduleId) => {
                 challenge.description = path.join(modulePath, description);
             }
             if(challenge.type === "quiz"){
-                challenge.question = qna.getCode(challenge.id);
+                if(util.isNullOrUndefined(challenge.options)){
+                    challenge.question = qna.getCode(challenge.id);
+                }
+                else if(!util.isNullOrUndefined(challenge.answer)){
+                    challenge.question = { "digest": qna.getDigest(challenge.answer)}
+                }
             }
         }
         returnChallenges.push(level);
     }
-        
+    challengeDefinitions[moduleId] = returnChallenges;    
     return returnChallenges;
 }
 
@@ -452,8 +457,8 @@ let apiChallengeCode = async (req) => {
     }
 
     let answer = null;
-    if(!util.isNullOrUndefined(req.body.answer)){
-        answer = req.body.answer.trim();
+    if(!util.isNullOrUndefined(req.body.answer) && typeof req.body.answer === "string"){
+        answer = req.body.answer.trim().toLowerCase();
     }
 
     if(util.isNullOrUndefined(challengeCode) || 
diff --git a/trainingportal/qna.js b/trainingportal/qna.js
index 2a6c5587..83f578e7 100644
--- a/trainingportal/qna.js
+++ b/trainingportal/qna.js
@@ -25,8 +25,12 @@ let getSecretText = (challengeId) => {
   return secretText.toUpperCase();
 }
 
+let getDigest = (val) => {
+  return crypto.createHash('sha256').update(val.trim().toLowerCase() + masterSalt).digest('hex');
+}
+
 let getRes = (mes, code) => {
-  let digest = crypto.createHash('sha256').update(mes.trim()+masterSalt).digest('hex');
+  let digest = getDigest(mes);
   return res = {
     code:code,
     digest:digest, 
@@ -241,6 +245,7 @@ const DEFS = {
 module.exports = {
   DEFS,
   getCode,
+  getDigest,
   checkCode,
   xorOp
 }
diff --git a/trainingportal/static/challenges.html b/trainingportal/static/challenges.html
index 6a4930f3..c32b5820 100644
--- a/trainingportal/static/challenges.html
+++ b/trainingportal/static/challenges.html
@@ -74,12 +74,26 @@ <h4>Challenge</h4>
                                 The play link has been provided to you when solving the previous module or challenge. 
                                 If you have missed it read the challenge description carefully and try to figure out what it is.
                             </p>
-                            <div ng-if="challenge.question" class="alert alert-info" style="color: black;">
+                            <div ng-if="challenge.question.code" class="alert alert-info" style="color: black;">
                                 <textarea rows="10" readonly style="background-color: transparent; border: 0px; width: 100%">{{challenge.question.code}}</textarea> 
                             </div>
 
+                            <span ng-if="challenge.options">
+                                <div class="form-check" ng-repeat="op in challenge.options">
+                                    <input class="form-check-input option-{{challenge.id}}" type="radio" value="{{op.value}}" name="option" id="option-{{challenge.id}}-{{$index}}">
+                                    <label class="form-check-label" for="option-{{challenge.id}}-{{$index}}">
+                                        {{op.display}}
+                                    </label>
+                                </div>
+                            </span>
+
                             <span ng-if="!challenge.passed">
 
+                                <span ng-if="challenge.options">
+                                    <br>
+                                    <a ng-click="submitOption(challenge.id, challenge.question.digest)" class="btn btn-info btn-sm" role="button">Submit Answer</a>
+                                </span>
+
                                 <span ng-if="challenge.type !== 'quiz'">
                                     <p>
                                         Once you were able to complete the challenge you can generate a code which you can submit below.
@@ -87,11 +101,11 @@ <h4>Challenge</h4>
                                     <a ng-href="#!submitCode/{{moduleId}}/{{challenge.id}}/page/0" class="btn btn-info btn-sm" role="button">Submit Code</a>
                                 </span>
 
-                                <span ng-if="challenge.type === 'quiz'">
-                                    <p>
-                                        Once you were able to find the answer you can submit it below.
-                                    </p>
-                                    <a ng-href="#!submitCode/{{moduleId}}/{{challenge.id}}/quiz/{{challenge.question.digest}}" class="btn btn-info btn-sm" role="button">Submit Answer</a>
+                                <span ng-if="challenge.type === 'quiz' && !challenge.options">
+                                    <label for="answer-{{challenge.id}}">Answer:</label> &nbsp;
+                                    <input type="text" autocomplete="off" class="form-control" style="width: 100%;" id="answer-{{challenge.id}}" value=""/>
+                                    <br>
+                                    <a ng-click="submitAnswer(challenge.id, challenge.question.digest)" class="btn btn-info btn-sm" role="button">Submit Answer</a>                                
                                 </span>
                                 
                             </span>
diff --git a/trainingportal/static/challengesCtrl.js b/trainingportal/static/challengesCtrl.js
index 67b31162..e950ecd8 100644
--- a/trainingportal/static/challengesCtrl.js
+++ b/trainingportal/static/challengesCtrl.js
@@ -24,6 +24,36 @@ app.controller("challengesCtrl", function($scope, $http, $routeParams) {
 
     }
 
+    $scope.submitOption = function(id, digest){
+        let answer = null;
+        let options = document.getElementsByClassName(`option-${id}`);
+        for(let op of options){
+            if(op.checked){
+                answer = op.value
+                break;
+            }
+        }
+        $scope.saveAnswer(answer,id,digest);   
+    }
+
+    $scope.submitAnswer = function(id, digest){
+        let answer = null;
+        let el = document.getElementById(`answer-${id}`);
+        if(el){
+            answer = el.value;
+        }
+        $scope.saveAnswer(answer,id,digest);
+    }
+
+    $scope.saveAnswer = function(answer, id, digest){
+        if(answer !== null){
+            localStorage.setItem("dojo.current.answer", answer);
+            localStorage.setItem("dojo.current.challenge", window.location.href);
+            window.location.href = `#!submitCode/${$scope.moduleId}/${id}/quiz/${digest}`;
+        }
+    }
+
+
     $scope.loadChallenges = function(){
         $http.get(`/challenges/${$scope.moduleId}`)
         .then(function(response) {
diff --git a/trainingportal/static/lessons/cvss/cvss_intro.md b/trainingportal/static/lessons/cvss/cvss_intro.md
new file mode 100644
index 00000000..1c63d5bb
--- /dev/null
+++ b/trainingportal/static/lessons/cvss/cvss_intro.md
@@ -0,0 +1,5 @@
+#### Agreeing on vulnerability severity
+
+The Common Vulnerability Scoring System (CVSS) is how we agree on vulnerability severity. 
+
+We need to agree on severity so we may prioritize investing our time and effort where it matters most.
\ No newline at end of file
diff --git a/trainingportal/static/lessons/cvss/cvss_intro.sol.md b/trainingportal/static/lessons/cvss/cvss_intro.sol.md
new file mode 100644
index 00000000..e69de29b
diff --git a/trainingportal/static/lessons/cvss/definitions.json b/trainingportal/static/lessons/cvss/definitions.json
new file mode 100644
index 00000000..f705b47d
--- /dev/null
+++ b/trainingportal/static/lessons/cvss/definitions.json
@@ -0,0 +1,36 @@
+[
+    {
+        "level":0,
+        "name":"Vulnerability Investigator",
+        "challenges":[
+            {
+                "id":"cvss_intro",
+                "name":"About CVSS",
+                "description": "cvss_intro.md",
+                "solution": "cvss_intro.sol.md",
+                "type":"quiz",
+                "mission":"Choose the correct option",
+                "options":[
+                    {
+                        "display":"Confidentiality: High, Integrity: High, Availability: High",
+                        "value":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
+                    },
+                    {
+                        "display":"Confidentiality: High, Integrity: High, Availability: None",
+                        "value":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"
+                    },
+                    {
+                        "display":"Confidentiality: High, Integrity: None, Availability: None",
+                        "value":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"
+                    },
+                    {
+                        "display":"Confidentiality: None, Integrity: None, Availability: None",
+                        "value":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N"
+                    }
+                ],
+                "answer":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
+                "codeBlockIds":[]
+            }
+        ]
+    }
+]
\ No newline at end of file
diff --git a/trainingportal/static/lessons/modules.json b/trainingportal/static/lessons/modules.json
index 688c94e0..46a4b336 100644
--- a/trainingportal/static/lessons/modules.json
+++ b/trainingportal/static/lessons/modules.json
@@ -14,6 +14,19 @@
         },
         "requiredModules":[]
     },
+    "cvss":{
+        "name":"Vulnerability Investigator",
+        "summary":"Understanding vulnerability severity",
+        "description":"This module covers the most important aspects of the Common Vulnerability Scoring System (CVSS)",
+        "description2": "Includes <TBD> lessons. Estimated duration 2 hours.",
+        "badgeInfo":{
+            "line1":"Secure Coding Dojo",
+            "line2":"Vulnerability Investigator",
+            "line3":"",
+            "bg":"darkorange"
+        },
+        "requiredModules":[]
+    },
     "cryptoBreaker":{
         "name":"Crypto Breaker - Part 1",
         "summary":"Introduction to Cryptography",
diff --git a/trainingportal/static/submitCode.html b/trainingportal/static/submitCode.html
index 830a8301..8099a250 100644
--- a/trainingportal/static/submitCode.html
+++ b/trainingportal/static/submitCode.html
@@ -6,24 +6,21 @@
     <h4 ng-if="challengeCodeValue === '0'">When you have solved the challenge, take the salt below to obtain the verification code.</h4>
     <br>
     <form autocomplete="off">
-        <div ng-if="challengeType === 'quiz'" class="form-group form-inline">
-            <label for="answer">Answer:</label> &nbsp;
-            <input type="text" autocomplete="off" class="form-control" style="width: 100%;" id="answer" value=""/>
-        </div>
-        <div ng-if="challengeCodeValue === '0'" class="form-group form-inline">
+        <div ng-if="challengeType !== 'quiz'" class="form-group form-inline">
             <label for="salt">Salt:</label> &nbsp;
             <input type="text" autocomplete="off" class="form-control" id="saltEl" value="{{salt}}"/>
             <button type="button" class="btn btn-default" onclick="document.getElementById('saltEl').select();document.execCommand('copy');">
                     <span class="oi oi-clipboard"></span>
             </button>
         </div>
-        <div ng-if="challengeCodeValue === '0'" class="form-group ">
+        <div ng-if="challengeType !== 'quiz'" class="form-group ">
             <label for="challengeCode">Challenge code:</label>        
             <input type="text" autocomplete="off" class="form-control" id="challengeCode">  
         </div>
     </form>
-    <button class="btn btn-primary" ng-click="submitAnswer()">Submit</button>
-    <button class="btn btn-secondary" onclick="window.history.back()">Back</button>
+    <button ng-if="challengeType !== 'quiz'" class="btn btn-primary" ng-click="submitAnswer()">Submit</button>
+    <button ng-if="challengeType !== 'quiz'" class="btn btn-secondary" onclick="window.history.back()">Back</button>
+    <button ng-if="challengeType === 'quiz'" class="btn btn-secondary" ng-click="goBack()">Back</button>
 
 
             <!-- Code Block Dialog -->
diff --git a/trainingportal/static/submitCodeCtrl.js b/trainingportal/static/submitCodeCtrl.js
index c3884945..bae8df6c 100644
--- a/trainingportal/static/submitCodeCtrl.js
+++ b/trainingportal/static/submitCodeCtrl.js
@@ -19,6 +19,15 @@ app.controller("submitCodeCtrl", function($scope, $http, $routeParams) {
     $scope.init = function(){
         var challengeCodeValue = $routeParams.challengeCode;
         $scope.challengeType = $routeParams.challengeType;
+
+        let answerString = localStorage.getItem("dojo.current.answer");   
+
+        if(answerString){
+            localStorage.removeItem("dojo.current.answer");
+            $scope.answer = answerString;
+            $scope.submitAnswer()
+        }
+
         if(challengeCodeValue === '0'){ //this is the old style of challenge verification
             $http.get("/api/salt",window.getAjaxOpts())
             .then(function(response) {
@@ -37,13 +46,19 @@ app.controller("submitCodeCtrl", function($scope, $http, $routeParams) {
         $scope.isCodeErrorMessage = false;
     }
 
+    $scope.goBack = () => {
+        let challengeHref = localStorage.getItem("dojo.current.challenge"); 
+        if(challengeHref){
+            localStorage.removeItem("dojo.current.challenge");
+            window.location.href = challengeHref;
+        }
+    }
 
     $scope.submitAnswer = function(){
         var moduleId = $routeParams.moduleId;
         var challengeId = $routeParams.challengeId;
         var challengeType = $routeParams.challengeType;
-        var answerValue = "";
-        if(typeof answer !== "undefined") answerValue = answer.value;
+        var answerValue = $scope.answer
 
         var challengeCodeValue = "";
         if(typeof challengeCode !== "undefined"){
diff --git a/trainingportal/test/qna.test.js b/trainingportal/test/qna.test.js
index 00ae9efa..d085ef34 100644
--- a/trainingportal/test/qna.test.js
+++ b/trainingportal/test/qna.test.js
@@ -18,7 +18,7 @@ describe("qna", () => {
     });
 
     test("true for correct code",()=>{
-      let text = "PLAIN TEXT";
+      let text = "plain text";
       for(let alg in qna.DEFS){
         if(alg === "crypto_analysis") continue;
         let res = qna.getCode(alg,text);        

From fb9f68ee044e49db2b3ae59bea8ff2335e2a2a8c Mon Sep 17 00:00:00 2001
From: martindg <4148719+martindg@users.noreply.github.com>
Date: Tue, 19 Aug 2025 10:45:33 +0300
Subject: [PATCH 02/21] test commit


From 4b82268f0e192eaedb12f545a2f2de883bb87dfe Mon Sep 17 00:00:00 2001
From: martindg <4148719+martindg@users.noreply.github.com>
Date: Wed, 20 Aug 2025 11:17:39 +0300
Subject: [PATCH 03/21] Keep explicit newlines

---
 trainingportal/util.js | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/trainingportal/util.js b/trainingportal/util.js
index 737a11db..41056b37 100644
--- a/trainingportal/util.js
+++ b/trainingportal/util.js
@@ -105,6 +105,9 @@ exports.parseMarkdown = (text) => {
   let html = markdown.toHTML(text);
   //made code tag non bindable by angular
   html = html.replace(/<code/g,"<code ng-non-bindable ");
+
+  //Keep explicit newlines in markdown written as `<br>`
+  html = html.replace(/&lt;br&gt;/g,"<br>");
   return html
 }
 

From 818d9387e73ccc97e419c2dc869bb5736c851b08 Mon Sep 17 00:00:00 2001
From: martindg <4148719+martindg@users.noreply.github.com>
Date: Wed, 20 Aug 2025 13:29:41 +0300
Subject: [PATCH 04/21] CVSS intro

---
 .../static/lessons/cvss/cvss_intro.md         | 306 +++++++++++++++++-
 .../static/lessons/cvss/cvss_intro.sol.md     |   1 +
 .../static/lessons/cvss/definitions.json      |  24 +-
 3 files changed, 314 insertions(+), 17 deletions(-)

diff --git a/trainingportal/static/lessons/cvss/cvss_intro.md b/trainingportal/static/lessons/cvss/cvss_intro.md
index 1c63d5bb..2448bd8b 100644
--- a/trainingportal/static/lessons/cvss/cvss_intro.md
+++ b/trainingportal/static/lessons/cvss/cvss_intro.md
@@ -1,5 +1,305 @@
-#### Agreeing on vulnerability severity
+## The Common Vulnerability Scoring System (CVSS)
 
-The Common Vulnerability Scoring System (CVSS) is how we agree on vulnerability severity. 
+<br>
 
-We need to agree on severity so we may prioritize investing our time and effort where it matters most.
\ No newline at end of file
+The Common Vulnerability Scoring System (CVSS) is an *open framework for communicating the characteristics and severity of software vulnerabilities*. You can find the most complete and up-to-date information on CVSS at [https://www.first.org/cvss/](https://www.first.org/cvss/). The current version of the CVSS specification is CVSS v4 with CVSS v3 still being widely used. CVSS provides a standardized vendor agnostic and platform agnostic methodology and produces a CVSS Score value between 0 and 10 and a CVSS rating:
+
+- 9.0 - 10.0 Critical
+- 7.0 - 8.9 High
+- 4.0 - 6.9 Medium
+- 0.1 - 3.9 Low
+- 0.0 None
+
+
+
+The CVSS score is produced by choosing the corresponding values for each CVSS metric (metrics will be covered in detail later in this chapter). The final set of all metrics is represented in the so called CVSS Vector e.g. `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N`. This example is decoded as:
+
+- `AV:N` -> Attack Vector (AV): Network (N)
+- `AC:L` -> Attack Complexity (AC): Low (L)
+- `AT:N` -> Attack Requirements (AT): None (N)
+- `PR:N` -> Privileges Required (PR): None (N)
+- `UI:N` -> User Interaction (UI): None (N)
+- `VC:H` -> Vulnerable System Confidentiality (VC): High (H)
+- `VI:H` -> Vulnerable System Integrity (VI): High (H)
+- `VA:N` -> Vulnerable System Availability (VA): None (N)
+- `SC:N` -> Subsequent System Confidentiality (SC): None (N)
+- `SI:N` -> Subsequent System Integrity (SI): None (N)
+- `SA:N` -> Subsequent System Availability (SA): None (N)
+
+Just by looking at the CVSS Vector, we can understand the (high-level) story behind the vulnerability. In this example we can see that: An unauthenticated attacker (`AV:N/AC:L/AT:N/PR:N/UI:N`) can read and write sensitive data (`VC:H/VI:H/VA:N`).
+
+<br><br><br>
+
+---
+
+### It is important to note that CVSS `is not a` *Risk Score*.
+
+<br><br>
+
+CVSS gives us a **technical score** of a vulnerability. It does **NOT** deal with any business, financial, health or any other form of risk. To better understand this, consider the following example:
+
+ - 2 different vulnerabilities
+ - The same CVSS score of 9.0 Critical
+ - One of those is in a music player / sound device
+ - The other is in a medical software responsible for delivering health-critical medical services to patients
+
+The CVSS specification explicitly covers that vulnerability management should consider factors that are outside of CVSS:
+
+    Consumers may use CVSS information as input to an organizational vulnerability management
+    process that also considers factors that are not part of CVSS in order to rank the threats
+    to their technology infrastructure and make informed remediation decisions. Such factors may
+    include, but are not limited to: regulatory requirements, number of customers impacted,
+    monetary losses due to a breach, life or property threatened, or reputational impacts of a
+    potential exploited vulnerability. These factors are outside the scope of CVSS.
+
+---
+
+<br><br><br>
+
+## CVSS Metric Groups
+
+<br>
+
+CVSS v4 has 4 metric groups:
+
+- Base.
+    - Intrinsic characteristics
+    - Constant over time
+    - Assumes reasonable worst-case impact
+- Threat.
+    - The current state of exploitability and remediation
+    - Can only go lower than the Base score
+- Environmental.
+    - Adjusted to specific environment
+    - Considers mitigating factors
+    - Considers adverse effects
+    - Can go higher or lower than the Base score
+- Supplemental.
+    - Context and additional extrinsic attributes
+    - No impact on the CVSS score
+
+For the remainder of this chapter, we will be focusing only on the Base metric group as it provides the most robust measure of a vulnerability's characteristics. The Environmental group is also very effective for adjusting the exploitability and impact metrics for a particular environment and can be viewed as a modification to the Base metric.
+
+
+## CVSS Base Score
+
+CVSS Base metrics go into 2 broad categories:
+
+- **Exploitability**. How easy/hard it is to exploit the vulnerability and what the prerequisites are.
+    - `Attack Vector (AV)`
+    - `Attack Complexity (AC)`
+    - `Attack Requirements (AT)`
+    - `Privileges Required (PR)`
+    - `User Interaction (UI)`
+- **Impact**. The security properties being violated.
+    - *Vulnerable System*. The system that has the vulnerability.
+        - `Confidentialiy (VC)`
+        - `Integrity (VI)`
+        - `Availability (VA)`
+    - *Subsequent System*. Other dependent system(s) being impacted.
+        - `Confidentiality (SC)`
+        - `Integrity (SI)`
+        - `Availability (SA)`
+
+<br><br><br>
+
+### Exploitability Metrics
+
+#### [Attack Vector (AV)](https://www.first.org/cvss/v4-0/specification-document#Attack-Vector-AV)
+- **Question**: From where can an attacker execute the attack?
+- **Values**:
+    - Network (`N`)
+        - Remotely over the network
+        - **Examples**:
+            - Web-based attacks
+    - Adjacent (`A`)
+        - Local/Adjacent network (physical or logical)
+        - **Examples**:
+            - Physical proximity
+                - Bluetooth
+                - WiFi
+            - Logical proximity
+                - ARP
+                - DHCP
+    - Local (`L`)
+        - Not bound to the network stack
+        - **Examples**:
+            - Vulnerable lock screen
+            - Malware infected document
+            - Local Privilege Escalation (LPE)
+    - Physical (`P`)
+        - Physical access to the device
+        - **Examples**:
+            - Malicious USB device
+            - Evil Maid attacks
+
+#### [Attack Complexity (AC)](https://www.first.org/cvss/v4-0/specification-document#Attack-Complexity-AC)
+
+- **Question**: What are the requirements for bypassing security-enhancing conditions/controls?
+- **Values**:
+    - Low (`L`) 
+        - The attack requires no target-specific defense circumvention
+        - **Examples**:
+            - Most web attacks
+    - High (`H`)
+        - The attack requires evasion or circumvention of security-enhancing techniques in place that would otherwise hinder the attack:
+            - address space layout randomization (ASLR)
+            - data execution prevention (DEP)
+            - Obtaining target-specific secrets
+        - **Examples**:
+            - [regreSSHion CVE-2024-6387](https://www.first.org/cvss/v4-0/examples#regreSSHion-CVE-2024-6387)
+                - Attackers must defeat memory safety defenses in order to achieve code execution
+
+#### [Attack Requirements (AT)](https://www.first.org/cvss/v4-0/specification-document#Attack-Requirements-AT)
+
+- **Question**: Are there any non-security-specific conditions that need to be overcome?
+- **Values**:
+    - None (`N`)
+        - No special requirements or conditions
+        - **Examples**:
+            - Most web attacks
+    - Present (`P`)
+        - The attack requires the presence of a specific condition that is not always present
+        - **Examples**:
+            - Race condition requiring a very specific timing window
+            - Man-in-the-Middle (MitM) attacks
+
+#### [Privileges Required (PR)](https://www.first.org/cvss/v4-0/specification-document#Privileges-Required-PR)
+
+- **Question**: What privileges does an attacker need (themselves, not the victim)?
+- **Values**:
+    - None (`N`)
+        - No need for authentication
+        - **Examples**:
+            - SQL injection on the login page
+    - Low (`L`)
+        - Authentication required, but only low privileges
+        - **Examples**:
+            - Low-privileged user can access the admin panel
+            - Logged in attacker is able to change other users’ data
+    - High (`H`)
+        - Attacker needs significant privileges (e.g. admin)
+        - **NOTE**: In CVSS we only measure the impact of a vulnerability in terms of what is gained by exploiting it. It wouldn't make sense to score legitimate administrative capabilities as impact.
+        - **Examples**:
+            - Exploit only possible through the admin panel of a Web app
+            - Change of scope vulnerabilities such as a privileged user on a VM/container can escape into the host and execute commands there
+
+#### [User Interaction (UI)](https://www.first.org/cvss/v4-0/specification-document#User-Interaction-UI)
+
+- **Question**: What are the requirements on the user/victim for the attack to succeed?
+- **Values**:
+    - None (`N`)
+        - Attacker can exploit without any interaction from any user/victim
+        - **Examples**:
+            - SQL injection on the login page
+    - Passive (`P`)
+        - Requires only limited interaction or normal/ordinary user behaviour
+        - **Examples**:
+            - A user will be compromised if they simply open a malicious message/email/sms within the application (not having to further follow any links)
+            - A malicious user can change their user info so that an account takeover occurs whenever the admin user generates reports (assuming report generation is a normal/expected activity)
+            - A stored cross-site scripting (XSS) in the default dashboard that loads after user log-in
+    - Active (`A`)
+        - Requires a behaviour that is out of the ordinary, against recommended guidance, or subverting security controls
+        - **Examples**:
+            - An email with malicious attachment that the victim needs to explicitly download and execute
+            - The user must explicitly accept/override a security warning such as certificate/TLS issues reported by the browser
+            - Reflected cross-site scripting (XSS) where the victim needs to follow a malicious link
+
+### Impact Metrics
+
+#### CIA
+
+In CVSS impact is measured against the security properties:
+
+- **Confidentiality (C)**. Attackers can't read data.
+- **Integrity (I)**. Attackers can't modify data.
+- **Availability (A)**. Attackers can't disrupt the service.
+
+Impact is only measured in terms of what is gained by exploiting a vulnerability. For example, a vulnerability that allows a read-only user to modify some data should only be scored with Integrity impact. The impact should be contained to what can be proven or reasonably expected.
+
+**NOTES**:
+
+- Brute-forcing cryptographically secure algorithms with sufficient key size and entropy should be considered neither reasonable nor practical
+- Finding a collision in a hashing function known to be broken (such as SHA-1) has to be considered reasonable (as proven in the shattered attack), even if not computationally/financially feasible for non-financially capable attackers.
+
+#### Scope (Vulnerable System Impact vs Subsequent System Impact)
+
+CVSS v4 introduces separate impact scores for the Vulnerable (`V`) system and Subsequent (`S`) systems (previously in CVSS v3 this used to be marked by a Scope (`S`) metric).
+
+The CVSS documentation includes a [User Guide](https://www.first.org/cvss/v4-0/user-guide#Vulnerable-System-and-Subsequent-System) with some examples on scope scoring.
+
+Examples of change of scope (vulnerable to subsequent) for impact:
+
+- vulnerability in a virtualization hypervisor that allows a virtual machine "escape" from the VM onto the host (similarly, container escape)
+- cross-site scripting (XSS) vulnerabilities. The vulnerable system is the web server, but the impacted system (i.e. subsequent) is the victim's web browser.
+
+#### [Confidentiality (VC/SC)](https://www.first.org/cvss/v4-0/specification-document#Confidentiality-VC-SC)
+
+- **Security Property**. Attackers can't read data.
+- **Values**:
+    - None (`N`)
+        - No impact
+    - Low (`L`)
+        - Read access to some restricted data:
+            - No control over which data
+            - Amount/kind is limited
+        - **Examples**:
+            - Attacker can read internal debug messages and see some internal details (e.g. IP addresses), but no secrets or critical information
+            - Attacker can see user statistics
+    - High (`H`)
+        - Read all data or critical data
+        - **Examples**:
+            - SQL injection allowing database dump of the whole database
+            - Attacker can read another user's access tokens
+
+#### [Integrity (VI/SI)](https://www.first.org/cvss/v4-0/specification-document#Integrity-VI-SI)
+
+- **Security Property**. Attackers can't modify data.
+- **Values**:
+    - None (`N`)
+        - No impact
+    - Low (`L`)
+        - Read access to some restricted data:
+            - No control over which data
+            - Amount/kind is limited
+        - **Examples**:
+            - Attacker can change another user's avatar image
+    - High (`H`)
+        - Modify all data or critical data
+        - **Examples**:
+            - SQL injection allowing database modifications
+            - Attacker can set another user's authentication details (e.g. password, tokens)
+
+
+#### [Availability (VA/SA)](https://www.first.org/cvss/v4-0/specification-document#Availability-VA-SA)
+
+- **Security Property**. Attackers can't disrupt the service.
+- **Values**:
+    - None (`N`)
+        - No impact
+    - Low (`L`)
+        - Some impact (performance) or partial impact
+        - **Examples**:
+            - Computationally intensive cryptographic operation can be abused to partially overload the CPU and cause slower server responses, but cannot completely deny the service
+            - Attacker can deny some non-critical functionality e.g. report generation
+    - High (`H`)
+        - Full service denial or critical parts being denied
+            - Fully deny access
+                - Sustained (for the duration of the attack)
+                - Persistent (even after the attack)
+            - Deny only access to some critical resources
+                - User login sessions
+        - **Examples**:
+            - Attacker can abuse a particular operation that would overload the server and prevent it from serving clients for the next 10 seconds. The attacker can sustain the attack with 1 request every 9-10 seconds.
+            - Attacker can send a malformed request the would crash the server. The service will no longer be available until it is manually restarted.
+            - Attacker can break the login functionality. Existing sessions remain intact, but users cannot sign in anymore (sustained or persistent).
+
+
+---
+
+**Resources**:
+
+ - CVSS Documentation: [https://www.first.org/cvss/](https://www.first.org/cvss/)
+ - CVSS 4.0 Calculator: [https://www.first.org/cvss/calculator/4-0](https://www.first.org/cvss/calculator/4-0)
+ - CVSS Examples: [https://www.first.org/cvss/v4-0/examples](https://www.first.org/cvss/v4-0/examples)
+ - CVSS User Guide: [https://www.first.org/cvss/v4-0/user-guide](https://www.first.org/cvss/v4-0/user-guide)
diff --git a/trainingportal/static/lessons/cvss/cvss_intro.sol.md b/trainingportal/static/lessons/cvss/cvss_intro.sol.md
index e69de29b..a739af78 100644
--- a/trainingportal/static/lessons/cvss/cvss_intro.sol.md
+++ b/trainingportal/static/lessons/cvss/cvss_intro.sol.md
@@ -0,0 +1 @@
+The CVSS specification is available at [https://www.first.org/cvss/](https://www.first.org/cvss/).
\ No newline at end of file
diff --git a/trainingportal/static/lessons/cvss/definitions.json b/trainingportal/static/lessons/cvss/definitions.json
index f705b47d..d9ff3713 100644
--- a/trainingportal/static/lessons/cvss/definitions.json
+++ b/trainingportal/static/lessons/cvss/definitions.json
@@ -1,34 +1,30 @@
 [
     {
         "level":0,
-        "name":"Vulnerability Investigator",
+        "name":"CVSS",
         "challenges":[
             {
                 "id":"cvss_intro",
-                "name":"About CVSS",
+                "name":"Introduction",
                 "description": "cvss_intro.md",
                 "solution": "cvss_intro.sol.md",
                 "type":"quiz",
-                "mission":"Choose the correct option",
+                "mission":"Which organization is responsible for the CVSS specification?",
                 "options":[
                     {
-                        "display":"Confidentiality: High, Integrity: High, Availability: High",
-                        "value":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
+                        "display":"FIRST - Forum of Incident Response and Security Teams (https://www.first.org/)",
+                        "value":"1"
                     },
                     {
-                        "display":"Confidentiality: High, Integrity: High, Availability: None",
-                        "value":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"
+                        "display":"NVD - National Vulnerability Database (https://nvd.nist.gov/)",
+                        "value":"2"
                     },
                     {
-                        "display":"Confidentiality: High, Integrity: None, Availability: None",
-                        "value":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"
-                    },
-                    {
-                        "display":"Confidentiality: None, Integrity: None, Availability: None",
-                        "value":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N"
+                        "display":"OWASP - Open Worldwide Application Security Project (https://owasp.org/)",
+                        "value":"3"
                     }
                 ],
-                "answer":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
+                "answer":"1",
                 "codeBlockIds":[]
             }
         ]

From dcce9493e400a044b2072d9bd045e2e07dfd4352 Mon Sep 17 00:00:00 2001
From: martindg <4148719+martindg@users.noreply.github.com>
Date: Tue, 26 Aug 2025 14:49:41 +0300
Subject: [PATCH 05/21] CVSS case studies

---
 .../static/lessons/cvss/cvss_case_studies.md  | 113 ++++++++++++++++++
 .../lessons/cvss/cvss_case_studies.sol.md     |   1 +
 .../static/lessons/cvss/definitions.json      |  32 +++++
 3 files changed, 146 insertions(+)
 create mode 100644 trainingportal/static/lessons/cvss/cvss_case_studies.md
 create mode 100644 trainingportal/static/lessons/cvss/cvss_case_studies.sol.md

diff --git a/trainingportal/static/lessons/cvss/cvss_case_studies.md b/trainingportal/static/lessons/cvss/cvss_case_studies.md
new file mode 100644
index 00000000..447b2499
--- /dev/null
+++ b/trainingportal/static/lessons/cvss/cvss_case_studies.md
@@ -0,0 +1,113 @@
+## [CVE-2025-4427](https://nvd.nist.gov/vuln/detail/CVE-2025-4427)
+
+### Description
+An authentication bypass in the API component of Ivanti Endpoint Manager Mobile 12.5.0.0 and prior allows attackers to access protected resources without proper credentials via the API.
+
+### CVSS Score
+
+**NOTE:** The official NVD entry for this vulnerability contains 2 separate CVSS scores: one provided by the vendor and one provided by the National Vulnerability Database (NVD). The discrepancy here is in the impact metric for `Confidentiality`. The vendor claims `Low` impact, while the NVD claims `High` impact. This example demonstrates how even the technical aspects alone can be subject to interpretation and discussion.
+
+#### Vulnerability Dissection
+
+Looking at the description, we can inform some of the CVSS metrics:
+
+- `authentication bypass in the API` and `without proper credentials`
+    - Attack Vector: Network (`AV:N`) *(assuming a Web API)*
+    - Privileges Required: None (`PR:N`)
+- `access protected resources`
+    - Confidentiality: High (`VC:H`)
+
+The rest we can keep with the CVSS defaults i.e. no exploitability requirements and no impact.
+
+#### CVE Official CVSS v3.1 Score
+NVD: 7.5 High [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N](https://www.first.org/cvss/calculator/3-1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
+
+#### Proposed CVSS v4.0 Score
+
+8.7 High [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N](https://www.first.org/cvss/calculator/4-0#CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N)
+
+<br><br>
+
+---
+
+## [CVE-2020-4004](https://nvd.nist.gov/vuln/detail/CVE-2020-4004)
+
+### Description
+
+VMware ESXi (7.0 before ESXi70U1b-17168206, 6.7 before ESXi670-202011101-SG, 6.5 before ESXi650-202011301-SG), Workstation (15.x before 15.5.7), Fusion (11.x before 11.5.7) contain a use-after-free vulnerability in the XHCI USB controller. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host.
+
+### CVSS Score
+
+#### Vulnerability Dissection
+
+Looking at the description, we can inform some of the CVSS metrics:
+
+- `local administrative privileges`
+    - Attack Vector: Local (`AV:L`)
+    - Privileges Required: High (`PR:H`)
+- `on a virtual machine` and `virtual machine's VMX process running on the host`
+    - Scope: Changed (`S:C`) in CVSS v3
+    - Subsequent System impact in CVSS v4
+- `VMX process`
+    - The VMX process is a privileged process on the host, so all impact is High (`VC:H/VI:H/VA:H/SC:H/SI:H/SA:H`)
+
+#### CVE Official CVSS v3.1 Score
+NVD: 8.2 High [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H](https://www.first.org/cvss/calculator/3-1#CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)
+
+#### Proposed CVSS v4.0 Score
+9.3 Critical [CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H](https://www.first.org/cvss/calculator/4-0#CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H)
+
+<br><br>
+
+---
+
+## [CVE-2025-40591](https://nvd.nist.gov/vuln/detail/CVE-2025-40591)
+
+### Description
+
+A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.16.5) ... . The 'Log Viewers' tool in the web interface of affected devices is vulnerable to command injection due to missing server side input sanitation. This could allow an authenticated remote attacker to execute the 'tail' command with root privileges and disclose contents of all files in the filesystem.
+
+### CVSS Score
+
+#### Vulnerability Dissection
+
+Looking at the description, we can inform some of the CVSS metrics:
+
+- `authenticated remote attacker`
+    - Attack Vector: Network (`AV:N`)
+    - Privileges Required: Low (`PR:L`)
+- `disclose contents of all files`
+    - Confidentiality: High (`C:H`)
+    - **Note**: Apart from the files of the application itself, an attacker can also read all files on the host. Hence, we have change of scope from the vulnerable system (the web application) with its own Authentication and Authorization (i.e. security scope) to the subsequent system (the host itself).
+
+#### CVE Official CVSS v4.0 Score
+Siemens AG: 8.3 High [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N](https://www.first.org/cvss/calculator/4-0#CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N)
+
+<br><br>
+
+---
+
+## [CVE-2025-34124](https://nvd.nist.gov/vuln/detail/CVE-2025-34124)
+
+### Description
+
+A buffer overflow vulnerability exists in Heroes of Might and Magic III Complete 4.0.0.0, HD Mod 3.808 build 9, and Demo 1.0.0.0 via malicious .h3m map files that exploit object sprite name parsing logic. The vulnerability occurs during in-game map loading when a crafted object name causes a buffer overflow, potentially allowing arbitrary code execution. Exploitation requires the victim to open a malicious map file within the game.
+
+### CVSS Score
+
+#### Vulnerability Dissection
+
+Looking at the description, we can inform some of the CVSS metrics:
+
+- `via malicious .h3m map files`
+    - Attack Vector: Local (`AV:L`)
+- `Exploitation requires the victim to open a malicious map file within the game`
+    - User Interaction: Active (`UI:A`)
+- `arbitrary code execution`
+    - Confidentiality: High (`VC:H`)
+    - Integrity: High (`VI:H`)
+    - Availability: High (`VA:H`)
+
+#### CVE Official CVSS v4.0 Score
+
+VulnCheck: 8.4 High [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N](https://www.first.org/cvss/calculator/4-0#CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N)
\ No newline at end of file
diff --git a/trainingportal/static/lessons/cvss/cvss_case_studies.sol.md b/trainingportal/static/lessons/cvss/cvss_case_studies.sol.md
new file mode 100644
index 00000000..004655e7
--- /dev/null
+++ b/trainingportal/static/lessons/cvss/cvss_case_studies.sol.md
@@ -0,0 +1 @@
+The [User Interaction (UI)](https://www.first.org/cvss/v4-0/specification-document#User-Interaction-UI) metric covers "the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system".
\ No newline at end of file
diff --git a/trainingportal/static/lessons/cvss/definitions.json b/trainingportal/static/lessons/cvss/definitions.json
index d9ff3713..cbe3613e 100644
--- a/trainingportal/static/lessons/cvss/definitions.json
+++ b/trainingportal/static/lessons/cvss/definitions.json
@@ -26,6 +26,38 @@
                 ],
                 "answer":"1",
                 "codeBlockIds":[]
+            },
+            {
+                "id":"cvss_case_studies",
+                "name":"Case Studies",
+                "description": "cvss_case_studies.md",
+                "solution": "cvss_case_studies.sol.md",
+                "type":"quiz",
+                "mission":"Which CVSS metric covers the following exploitation prerequisite: \"Attacker needs to trick a victim into ...\"",
+                "options":[
+                    {
+                        "display": "Attack Vector (AV)",
+                        "value":"1"
+                    },
+                    {
+                        "display":"Attack Complexity (AC)",
+                        "value":"2"
+                    },
+                    {
+                        "display":"Attack Requirements (AT)",
+                        "value":"3"
+                    },
+                    {
+                        "display":"Privileges Required (PR)",
+                        "value":"4"
+                    },
+                    {
+                        "display":"User Interaction (UI)",
+                        "value":"5"
+                    }
+                ],
+                "answer":"5",
+                "codeBlockIds":[]
             }
         ]
     }

From 8a33d48ae0473c6895e941b8671442fff27e0e74 Mon Sep 17 00:00:00 2001
From: martindg <4148719+martindg@users.noreply.github.com>
Date: Wed, 27 Aug 2025 16:31:43 +0300
Subject: [PATCH 06/21] CVSS Score 1

---
 trainingportal/qna.js                                 |  7 ++++++-
 trainingportal/static/lessons/cvss/cvss_score_1.md    |  7 +++++++
 .../static/lessons/cvss/cvss_score_1.sol.md           | 11 +++++++++++
 trainingportal/static/lessons/cvss/definitions.json   |  9 +++++++++
 4 files changed, 33 insertions(+), 1 deletion(-)
 create mode 100644 trainingportal/static/lessons/cvss/cvss_score_1.md
 create mode 100644 trainingportal/static/lessons/cvss/cvss_score_1.sol.md

diff --git a/trainingportal/qna.js b/trainingportal/qna.js
index 83f578e7..67c60396 100644
--- a/trainingportal/qna.js
+++ b/trainingportal/qna.js
@@ -231,6 +231,10 @@ let analysisEnc = (mes) => {
   return getRes(goldenKey, cipher);
 }
 
+let cvss_score_1 = () => {
+  return {"digest": getDigest("CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N")};
+}
+
 const DEFS = {
   "crypto_caesar": caesarEnc,
   "crypto_vigenere": vigenereEnc,
@@ -239,7 +243,8 @@ const DEFS = {
   "crypto_hash": hashEnc,
   "crypto_xor": xorEnc,
   "crypto_pbk": pbkEnc,
-  "crypto_analysis": analysisEnc
+  "crypto_analysis": analysisEnc,
+  "cvss_score_1": cvss_score_1
 }
 
 module.exports = {
diff --git a/trainingportal/static/lessons/cvss/cvss_score_1.md b/trainingportal/static/lessons/cvss/cvss_score_1.md
new file mode 100644
index 00000000..5bbe3ba3
--- /dev/null
+++ b/trainingportal/static/lessons/cvss/cvss_score_1.md
@@ -0,0 +1,7 @@
+### Task
+
+Score the following scenario using the CVSS v4.0 calculator [https://www.first.org/cvss/calculator/4-0](https://www.first.org/cvss/calculator/4-0).
+
+### Scenario
+
+Unauthenticated attacker can list registered users of a SaaS offering.
\ No newline at end of file
diff --git a/trainingportal/static/lessons/cvss/cvss_score_1.sol.md b/trainingportal/static/lessons/cvss/cvss_score_1.sol.md
new file mode 100644
index 00000000..e8a247f8
--- /dev/null
+++ b/trainingportal/static/lessons/cvss/cvss_score_1.sol.md
@@ -0,0 +1,11 @@
+- Attack Vector (AV): Network (N)
+- Attack Complexity (AC): Low (L)
+- Attack Requirements (AT): None (N)
+- Privileges Required (PR): None (N)
+- User Interaction (UI): None (N)
+- Vulnerable System Confidentiality (VC): Low (L)
+- Vulnerable System Integrity (VI): None (N)
+- Vulnerable System Availability (VA): None (N)
+- Subsequent System Confidentiality (SC): None (N)
+- Subsequent System Integrity (SI): None (N)
+- Subsequent System Availability (SA): None (N)
\ No newline at end of file
diff --git a/trainingportal/static/lessons/cvss/definitions.json b/trainingportal/static/lessons/cvss/definitions.json
index cbe3613e..7100418c 100644
--- a/trainingportal/static/lessons/cvss/definitions.json
+++ b/trainingportal/static/lessons/cvss/definitions.json
@@ -58,6 +58,15 @@
                 ],
                 "answer":"5",
                 "codeBlockIds":[]
+            },
+            {
+                "id":"cvss_score_1",
+                "name":"Score Vulnerability 1",
+                "description": "cvss_score_1.md",
+                "solution": "cvss_score_1.sol.md",
+                "type":"quiz",
+                "mission":"Enter the CVSS v4 string (Base Score)",
+                "codeBlockIds":[]
             }
         ]
     }

From 3e1016c9d97e0b8bfe6cb3fc06dcf01f0bb91de6 Mon Sep 17 00:00:00 2001
From: martindg <4148719+martindg@users.noreply.github.com>
Date: Thu, 28 Aug 2025 10:59:47 +0300
Subject: [PATCH 07/21] CVSS Score 2

---
 trainingportal/qna.js                                 |  7 ++++++-
 trainingportal/static/lessons/cvss/cvss_score_2.md    |  7 +++++++
 .../static/lessons/cvss/cvss_score_2.sol.md           | 11 +++++++++++
 trainingportal/static/lessons/cvss/definitions.json   |  9 +++++++++
 4 files changed, 33 insertions(+), 1 deletion(-)
 create mode 100644 trainingportal/static/lessons/cvss/cvss_score_2.md
 create mode 100644 trainingportal/static/lessons/cvss/cvss_score_2.sol.md

diff --git a/trainingportal/qna.js b/trainingportal/qna.js
index 67c60396..dfc12af1 100644
--- a/trainingportal/qna.js
+++ b/trainingportal/qna.js
@@ -235,6 +235,10 @@ let cvss_score_1 = () => {
   return {"digest": getDigest("CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N")};
 }
 
+let cvss_score_2 = () => {
+  return {"digest": getDigest("CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N")};
+}
+
 const DEFS = {
   "crypto_caesar": caesarEnc,
   "crypto_vigenere": vigenereEnc,
@@ -244,7 +248,8 @@ const DEFS = {
   "crypto_xor": xorEnc,
   "crypto_pbk": pbkEnc,
   "crypto_analysis": analysisEnc,
-  "cvss_score_1": cvss_score_1
+  "cvss_score_1": cvss_score_1,
+  "cvss_score_2": cvss_score_2
 }
 
 module.exports = {
diff --git a/trainingportal/static/lessons/cvss/cvss_score_2.md b/trainingportal/static/lessons/cvss/cvss_score_2.md
new file mode 100644
index 00000000..0b4abca8
--- /dev/null
+++ b/trainingportal/static/lessons/cvss/cvss_score_2.md
@@ -0,0 +1,7 @@
+### Task
+
+Score the following scenario using the CVSS v4.0 calculator [https://www.first.org/cvss/calculator/4-0](https://www.first.org/cvss/calculator/4-0).
+
+### Scenario
+
+A malicious SaaS user with knowledge of another user’s unique 128-bit userid, can read all the information (e.g. details, activity, messages) for that user through an Authorization bypass in the API.
\ No newline at end of file
diff --git a/trainingportal/static/lessons/cvss/cvss_score_2.sol.md b/trainingportal/static/lessons/cvss/cvss_score_2.sol.md
new file mode 100644
index 00000000..ce08477e
--- /dev/null
+++ b/trainingportal/static/lessons/cvss/cvss_score_2.sol.md
@@ -0,0 +1,11 @@
+- Attack Vector (AV): Network (N)
+- Attack Complexity (AC): High (H)
+- Attack Requirements (AT): None (N)
+- Privileges Required (PR): Low (L)
+- User Interaction (UI): None (N)
+- Vulnerable System Confidentiality (VC): High (H)
+- Vulnerable System Integrity (VI): None (N)
+- Vulnerable System Availability (VA): None (N)
+- Subsequent System Confidentiality (SC): None (N)
+- Subsequent System Integrity (SI): None (N)
+- Subsequent System Availability (SA): None (N)
\ No newline at end of file
diff --git a/trainingportal/static/lessons/cvss/definitions.json b/trainingportal/static/lessons/cvss/definitions.json
index 7100418c..f7556306 100644
--- a/trainingportal/static/lessons/cvss/definitions.json
+++ b/trainingportal/static/lessons/cvss/definitions.json
@@ -67,6 +67,15 @@
                 "type":"quiz",
                 "mission":"Enter the CVSS v4 string (Base Score)",
                 "codeBlockIds":[]
+            },
+            {
+                "id":"cvss_score_2",
+                "name":"Score Vulnerability 2",
+                "description": "cvss_score_2.md",
+                "solution": "cvss_score_2.sol.md",
+                "type":"quiz",
+                "mission":"Enter the CVSS v4 string (Base Score)",
+                "codeBlockIds":[]
             }
         ]
     }

From c54c86e6ccf2eedf26044f76e63ddfd50283f842 Mon Sep 17 00:00:00 2001
From: martindg <4148719+martindg@users.noreply.github.com>
Date: Thu, 28 Aug 2025 11:18:37 +0300
Subject: [PATCH 08/21] Order .md files

---
 trainingportal/qna.js                         |  8 +++----
 .../cvss/{cvss_intro.md => cvss_1_intro.md}   |  0
 ...{cvss_intro.sol.md => cvss_1_intro.sol.md} |  0
 ...case_studies.md => cvss_2_case_studies.md} |  0
 ...dies.sol.md => cvss_2_case_studies.sol.md} |  0
 .../{cvss_score_1.md => cvss_3_score_1.md}    |  0
 ...s_score_1.sol.md => cvss_3_score_1.sol.md} |  0
 .../{cvss_score_2.md => cvss_4_score_2.md}    |  0
 ...s_score_2.sol.md => cvss_4_score_2.sol.md} |  0
 .../static/lessons/cvss/definitions.json      | 24 +++++++++----------
 10 files changed, 16 insertions(+), 16 deletions(-)
 rename trainingportal/static/lessons/cvss/{cvss_intro.md => cvss_1_intro.md} (100%)
 rename trainingportal/static/lessons/cvss/{cvss_intro.sol.md => cvss_1_intro.sol.md} (100%)
 rename trainingportal/static/lessons/cvss/{cvss_case_studies.md => cvss_2_case_studies.md} (100%)
 rename trainingportal/static/lessons/cvss/{cvss_case_studies.sol.md => cvss_2_case_studies.sol.md} (100%)
 rename trainingportal/static/lessons/cvss/{cvss_score_1.md => cvss_3_score_1.md} (100%)
 rename trainingportal/static/lessons/cvss/{cvss_score_1.sol.md => cvss_3_score_1.sol.md} (100%)
 rename trainingportal/static/lessons/cvss/{cvss_score_2.md => cvss_4_score_2.md} (100%)
 rename trainingportal/static/lessons/cvss/{cvss_score_2.sol.md => cvss_4_score_2.sol.md} (100%)

diff --git a/trainingportal/qna.js b/trainingportal/qna.js
index dfc12af1..55429420 100644
--- a/trainingportal/qna.js
+++ b/trainingportal/qna.js
@@ -231,11 +231,11 @@ let analysisEnc = (mes) => {
   return getRes(goldenKey, cipher);
 }
 
-let cvss_score_1 = () => {
+let cvss_3_score_1 = () => {
   return {"digest": getDigest("CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N")};
 }
 
-let cvss_score_2 = () => {
+let cvss_4_score_2 = () => {
   return {"digest": getDigest("CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N")};
 }
 
@@ -248,8 +248,8 @@ const DEFS = {
   "crypto_xor": xorEnc,
   "crypto_pbk": pbkEnc,
   "crypto_analysis": analysisEnc,
-  "cvss_score_1": cvss_score_1,
-  "cvss_score_2": cvss_score_2
+  "cvss_3_score_1": cvss_3_score_1,
+  "cvss_4_score_2": cvss_4_score_2
 }
 
 module.exports = {
diff --git a/trainingportal/static/lessons/cvss/cvss_intro.md b/trainingportal/static/lessons/cvss/cvss_1_intro.md
similarity index 100%
rename from trainingportal/static/lessons/cvss/cvss_intro.md
rename to trainingportal/static/lessons/cvss/cvss_1_intro.md
diff --git a/trainingportal/static/lessons/cvss/cvss_intro.sol.md b/trainingportal/static/lessons/cvss/cvss_1_intro.sol.md
similarity index 100%
rename from trainingportal/static/lessons/cvss/cvss_intro.sol.md
rename to trainingportal/static/lessons/cvss/cvss_1_intro.sol.md
diff --git a/trainingportal/static/lessons/cvss/cvss_case_studies.md b/trainingportal/static/lessons/cvss/cvss_2_case_studies.md
similarity index 100%
rename from trainingportal/static/lessons/cvss/cvss_case_studies.md
rename to trainingportal/static/lessons/cvss/cvss_2_case_studies.md
diff --git a/trainingportal/static/lessons/cvss/cvss_case_studies.sol.md b/trainingportal/static/lessons/cvss/cvss_2_case_studies.sol.md
similarity index 100%
rename from trainingportal/static/lessons/cvss/cvss_case_studies.sol.md
rename to trainingportal/static/lessons/cvss/cvss_2_case_studies.sol.md
diff --git a/trainingportal/static/lessons/cvss/cvss_score_1.md b/trainingportal/static/lessons/cvss/cvss_3_score_1.md
similarity index 100%
rename from trainingportal/static/lessons/cvss/cvss_score_1.md
rename to trainingportal/static/lessons/cvss/cvss_3_score_1.md
diff --git a/trainingportal/static/lessons/cvss/cvss_score_1.sol.md b/trainingportal/static/lessons/cvss/cvss_3_score_1.sol.md
similarity index 100%
rename from trainingportal/static/lessons/cvss/cvss_score_1.sol.md
rename to trainingportal/static/lessons/cvss/cvss_3_score_1.sol.md
diff --git a/trainingportal/static/lessons/cvss/cvss_score_2.md b/trainingportal/static/lessons/cvss/cvss_4_score_2.md
similarity index 100%
rename from trainingportal/static/lessons/cvss/cvss_score_2.md
rename to trainingportal/static/lessons/cvss/cvss_4_score_2.md
diff --git a/trainingportal/static/lessons/cvss/cvss_score_2.sol.md b/trainingportal/static/lessons/cvss/cvss_4_score_2.sol.md
similarity index 100%
rename from trainingportal/static/lessons/cvss/cvss_score_2.sol.md
rename to trainingportal/static/lessons/cvss/cvss_4_score_2.sol.md
diff --git a/trainingportal/static/lessons/cvss/definitions.json b/trainingportal/static/lessons/cvss/definitions.json
index f7556306..68e24818 100644
--- a/trainingportal/static/lessons/cvss/definitions.json
+++ b/trainingportal/static/lessons/cvss/definitions.json
@@ -4,10 +4,10 @@
         "name":"CVSS",
         "challenges":[
             {
-                "id":"cvss_intro",
+                "id":"cvss_1_intro",
                 "name":"Introduction",
-                "description": "cvss_intro.md",
-                "solution": "cvss_intro.sol.md",
+                "description": "cvss_1_intro.md",
+                "solution": "cvss_1_intro.sol.md",
                 "type":"quiz",
                 "mission":"Which organization is responsible for the CVSS specification?",
                 "options":[
@@ -28,10 +28,10 @@
                 "codeBlockIds":[]
             },
             {
-                "id":"cvss_case_studies",
+                "id":"cvss_2_case_studies",
                 "name":"Case Studies",
-                "description": "cvss_case_studies.md",
-                "solution": "cvss_case_studies.sol.md",
+                "description": "cvss_2_case_studies.md",
+                "solution": "cvss_2_case_studies.sol.md",
                 "type":"quiz",
                 "mission":"Which CVSS metric covers the following exploitation prerequisite: \"Attacker needs to trick a victim into ...\"",
                 "options":[
@@ -60,19 +60,19 @@
                 "codeBlockIds":[]
             },
             {
-                "id":"cvss_score_1",
+                "id":"cvss_3_score_1",
                 "name":"Score Vulnerability 1",
-                "description": "cvss_score_1.md",
-                "solution": "cvss_score_1.sol.md",
+                "description": "cvss_3_score_1.md",
+                "solution": "cvss_3_score_1.sol.md",
                 "type":"quiz",
                 "mission":"Enter the CVSS v4 string (Base Score)",
                 "codeBlockIds":[]
             },
             {
-                "id":"cvss_score_2",
+                "id":"cvss_4_score_2",
                 "name":"Score Vulnerability 2",
-                "description": "cvss_score_2.md",
-                "solution": "cvss_score_2.sol.md",
+                "description": "cvss_4_score_2.md",
+                "solution": "cvss_4_score_2.sol.md",
                 "type":"quiz",
                 "mission":"Enter the CVSS v4 string (Base Score)",
                 "codeBlockIds":[]

From ad55fa98fc8c9d593570e8d63d2a38c627ed0acd Mon Sep 17 00:00:00 2001
From: martindg <4148719+martindg@users.noreply.github.com>
Date: Thu, 28 Aug 2025 13:37:43 +0300
Subject: [PATCH 09/21] Vulnerability Chaining

---
 trainingportal/qna.js                         |  7 ++++-
 .../static/lessons/cvss/cvss_5_chain.md       | 28 +++++++++++++++++++
 .../static/lessons/cvss/cvss_5_chain.sol.md   | 13 +++++++++
 .../static/lessons/cvss/definitions.json      |  9 ++++++
 4 files changed, 56 insertions(+), 1 deletion(-)
 create mode 100644 trainingportal/static/lessons/cvss/cvss_5_chain.md
 create mode 100644 trainingportal/static/lessons/cvss/cvss_5_chain.sol.md

diff --git a/trainingportal/qna.js b/trainingportal/qna.js
index 55429420..f1d71627 100644
--- a/trainingportal/qna.js
+++ b/trainingportal/qna.js
@@ -239,6 +239,10 @@ let cvss_4_score_2 = () => {
   return {"digest": getDigest("CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N")};
 }
 
+let cvss_5_chain = () => {
+  return {"digest": getDigest("CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N")};
+}
+
 const DEFS = {
   "crypto_caesar": caesarEnc,
   "crypto_vigenere": vigenereEnc,
@@ -249,7 +253,8 @@ const DEFS = {
   "crypto_pbk": pbkEnc,
   "crypto_analysis": analysisEnc,
   "cvss_3_score_1": cvss_3_score_1,
-  "cvss_4_score_2": cvss_4_score_2
+  "cvss_4_score_2": cvss_4_score_2,
+  "cvss_5_chain": cvss_5_chain
 }
 
 module.exports = {
diff --git a/trainingportal/static/lessons/cvss/cvss_5_chain.md b/trainingportal/static/lessons/cvss/cvss_5_chain.md
new file mode 100644
index 00000000..a69db475
--- /dev/null
+++ b/trainingportal/static/lessons/cvss/cvss_5_chain.md
@@ -0,0 +1,28 @@
+### Vulnerability Chaining
+
+The CVSS framework is designed for assessing an individual vulnerability having known the details on exploitability and impact. However, it is sometimes necessary to look into more complex attacks that leverage multiple vulnerabilities into a chain. While the CVSS is not specifically designed for more complex attacks, it does accommodate for scoring a single attack consisting of a vulnerability chain.
+
+
+Vulnerability chaining is covered in the [CVSS User Guide](https://www.first.org/cvss/v4-0/user-guide#Vulnerability-Chaining).
+
+### Task
+
+Score the following scenario using the CVSS v4.0 calculator [https://www.first.org/cvss/calculator/4-0](https://www.first.org/cvss/calculator/4-0).
+
+### Scenario
+
+This attack scenario consists of the 2 vulnerabilties we saw earlier. Imagine that an attacker is aware and has the ability to execute both of them as necessary to perform an attack.
+
+You can leverage the CVSS vectors of the previous 2 vulnerabilities that we scored.
+
+#### Vulnerability 1
+
+Unauthenticated attacker can list registered users of a SaaS offering (username and userid).
+
+#### Vulnerability 2
+
+A malicious SaaS user with knowledge of another user’s unique 128-bit userid, can read all the information (e.g. details, activity, messages) for that user through an Authorization bypass in the API.
+
+#### Impact
+
+The attacker is now able to read the information for all users.
\ No newline at end of file
diff --git a/trainingportal/static/lessons/cvss/cvss_5_chain.sol.md b/trainingportal/static/lessons/cvss/cvss_5_chain.sol.md
new file mode 100644
index 00000000..62bb2d4c
--- /dev/null
+++ b/trainingportal/static/lessons/cvss/cvss_5_chain.sol.md
@@ -0,0 +1,13 @@
+- Attack Vector: Network (N)
+- Attack Complexity: Low (L)
+    - The requirement on knowing the unique userid is still present, however vulnerability 1 allows the attacker to easily obtain these for all users.
+- Attack Requirements: None (N)
+- Privileges Required: Low (L)
+    - The attacker still needs to be authenticated user in order to perform the second part of the attack i.e. obtain sensitive data.
+- User Interaction: None (N)
+- Vulnerable System Confidentiality: High (H)
+- Vulnerable System Integrity: None (N)
+- Vulnerable System Availability: None (N)
+- Subsequent System Confidentiality: None (N)
+- Subsequent System Integrity: None (N)
+- Subsequent System Availability: None (N)
\ No newline at end of file
diff --git a/trainingportal/static/lessons/cvss/definitions.json b/trainingportal/static/lessons/cvss/definitions.json
index 68e24818..8de6d6bc 100644
--- a/trainingportal/static/lessons/cvss/definitions.json
+++ b/trainingportal/static/lessons/cvss/definitions.json
@@ -76,6 +76,15 @@
                 "type":"quiz",
                 "mission":"Enter the CVSS v4 string (Base Score)",
                 "codeBlockIds":[]
+            },
+            {
+                "id":"cvss_5_chain",
+                "name":"Chaining Vulnerabilities",
+                "description": "cvss_5_chain.md",
+                "solution": "cvss_5_chain.sol.md",
+                "type":"quiz",
+                "mission":"Enter the CVSS v4 string (Base Score)",
+                "codeBlockIds":[]
             }
         ]
     }

From f4993212489deb979e1e3e04114d2fc5bc586b37 Mon Sep 17 00:00:00 2001
From: martindg <4148719+martindg@users.noreply.github.com>
Date: Thu, 28 Aug 2025 13:53:52 +0300
Subject: [PATCH 10/21] Add high-level analysis to solutions

---
 .../static/lessons/cvss/cvss_3_score_1.sol.md        |  9 +++++++++
 .../static/lessons/cvss/cvss_4_score_2.sol.md        | 10 ++++++++++
 .../static/lessons/cvss/cvss_5_chain.sol.md          | 12 ++++++++++--
 3 files changed, 29 insertions(+), 2 deletions(-)

diff --git a/trainingportal/static/lessons/cvss/cvss_3_score_1.sol.md b/trainingportal/static/lessons/cvss/cvss_3_score_1.sol.md
index e8a247f8..6486156d 100644
--- a/trainingportal/static/lessons/cvss/cvss_3_score_1.sol.md
+++ b/trainingportal/static/lessons/cvss/cvss_3_score_1.sol.md
@@ -1,3 +1,12 @@
+High-level analysis:
+
+- Prerequisites:
+    - None
+- Impact:
+    - Some limited amount data is exposed
+
+---
+
 - Attack Vector (AV): Network (N)
 - Attack Complexity (AC): Low (L)
 - Attack Requirements (AT): None (N)
diff --git a/trainingportal/static/lessons/cvss/cvss_4_score_2.sol.md b/trainingportal/static/lessons/cvss/cvss_4_score_2.sol.md
index ce08477e..ebf74557 100644
--- a/trainingportal/static/lessons/cvss/cvss_4_score_2.sol.md
+++ b/trainingportal/static/lessons/cvss/cvss_4_score_2.sol.md
@@ -1,3 +1,13 @@
+High-level analysis:
+
+- Prerequisites:
+    - Knowledge of a 128-bit userid of a victim
+    - Valid login session
+- Impact:
+    - Full impact on all information related to the user, including sensitive data
+
+---
+
 - Attack Vector (AV): Network (N)
 - Attack Complexity (AC): High (H)
 - Attack Requirements (AT): None (N)
diff --git a/trainingportal/static/lessons/cvss/cvss_5_chain.sol.md b/trainingportal/static/lessons/cvss/cvss_5_chain.sol.md
index 62bb2d4c..48f24f68 100644
--- a/trainingportal/static/lessons/cvss/cvss_5_chain.sol.md
+++ b/trainingportal/static/lessons/cvss/cvss_5_chain.sol.md
@@ -1,9 +1,17 @@
+High-level analysis:
+
+- Prerequisites:
+    - Previous prerequisite of "Knowledge of a 128-bit userid of a victim" is now easily satisfied by Vulnerability 1
+    - Valid login session
+- Impact:
+    - Full impact on all information related to **any** user, including sensitive data
+
+---
+
 - Attack Vector: Network (N)
 - Attack Complexity: Low (L)
-    - The requirement on knowing the unique userid is still present, however vulnerability 1 allows the attacker to easily obtain these for all users.
 - Attack Requirements: None (N)
 - Privileges Required: Low (L)
-    - The attacker still needs to be authenticated user in order to perform the second part of the attack i.e. obtain sensitive data.
 - User Interaction: None (N)
 - Vulnerable System Confidentiality: High (H)
 - Vulnerable System Integrity: None (N)

From f395ebbe218a2cf1146d8495ac8ac00fe1875ca6 Mon Sep 17 00:00:00 2001
From: martindg <4148719+martindg@users.noreply.github.com>
Date: Thu, 28 Aug 2025 13:57:13 +0300
Subject: [PATCH 11/21] Improve readability

---
 trainingportal/static/lessons/cvss/cvss_3_score_1.md |  6 +++++-
 .../static/lessons/cvss/cvss_3_score_1.sol.md        |  2 ++
 trainingportal/static/lessons/cvss/cvss_4_score_2.md |  6 +++++-
 .../static/lessons/cvss/cvss_4_score_2.sol.md        |  2 ++
 trainingportal/static/lessons/cvss/cvss_5_chain.md   | 12 +++++++++++-
 .../static/lessons/cvss/cvss_5_chain.sol.md          |  2 ++
 6 files changed, 27 insertions(+), 3 deletions(-)

diff --git a/trainingportal/static/lessons/cvss/cvss_3_score_1.md b/trainingportal/static/lessons/cvss/cvss_3_score_1.md
index 5bbe3ba3..5a77f160 100644
--- a/trainingportal/static/lessons/cvss/cvss_3_score_1.md
+++ b/trainingportal/static/lessons/cvss/cvss_3_score_1.md
@@ -2,6 +2,10 @@
 
 Score the following scenario using the CVSS v4.0 calculator [https://www.first.org/cvss/calculator/4-0](https://www.first.org/cvss/calculator/4-0).
 
+<br><br>
+
 ### Scenario
 
-Unauthenticated attacker can list registered users of a SaaS offering.
\ No newline at end of file
+Unauthenticated attacker can list registered users of a SaaS offering.
+
+<br><br>
diff --git a/trainingportal/static/lessons/cvss/cvss_3_score_1.sol.md b/trainingportal/static/lessons/cvss/cvss_3_score_1.sol.md
index 6486156d..72db7214 100644
--- a/trainingportal/static/lessons/cvss/cvss_3_score_1.sol.md
+++ b/trainingportal/static/lessons/cvss/cvss_3_score_1.sol.md
@@ -7,6 +7,8 @@ High-level analysis:
 
 ---
 
+CVSS:
+
 - Attack Vector (AV): Network (N)
 - Attack Complexity (AC): Low (L)
 - Attack Requirements (AT): None (N)
diff --git a/trainingportal/static/lessons/cvss/cvss_4_score_2.md b/trainingportal/static/lessons/cvss/cvss_4_score_2.md
index 0b4abca8..b9125ef2 100644
--- a/trainingportal/static/lessons/cvss/cvss_4_score_2.md
+++ b/trainingportal/static/lessons/cvss/cvss_4_score_2.md
@@ -2,6 +2,10 @@
 
 Score the following scenario using the CVSS v4.0 calculator [https://www.first.org/cvss/calculator/4-0](https://www.first.org/cvss/calculator/4-0).
 
+<br><br>
+
 ### Scenario
 
-A malicious SaaS user with knowledge of another user’s unique 128-bit userid, can read all the information (e.g. details, activity, messages) for that user through an Authorization bypass in the API.
\ No newline at end of file
+A malicious SaaS user with knowledge of another user’s unique 128-bit userid, can read all the information (e.g. details, activity, messages) for that user through an Authorization bypass in the API.
+
+<br><br>
diff --git a/trainingportal/static/lessons/cvss/cvss_4_score_2.sol.md b/trainingportal/static/lessons/cvss/cvss_4_score_2.sol.md
index ebf74557..4bc91ac3 100644
--- a/trainingportal/static/lessons/cvss/cvss_4_score_2.sol.md
+++ b/trainingportal/static/lessons/cvss/cvss_4_score_2.sol.md
@@ -8,6 +8,8 @@ High-level analysis:
 
 ---
 
+CVSS:
+
 - Attack Vector (AV): Network (N)
 - Attack Complexity (AC): High (H)
 - Attack Requirements (AT): None (N)
diff --git a/trainingportal/static/lessons/cvss/cvss_5_chain.md b/trainingportal/static/lessons/cvss/cvss_5_chain.md
index a69db475..de8f840d 100644
--- a/trainingportal/static/lessons/cvss/cvss_5_chain.md
+++ b/trainingportal/static/lessons/cvss/cvss_5_chain.md
@@ -9,20 +9,30 @@ Vulnerability chaining is covered in the [CVSS User Guide](https://www.first.org
 
 Score the following scenario using the CVSS v4.0 calculator [https://www.first.org/cvss/calculator/4-0](https://www.first.org/cvss/calculator/4-0).
 
+<br><br>
+
 ### Scenario
 
 This attack scenario consists of the 2 vulnerabilties we saw earlier. Imagine that an attacker is aware and has the ability to execute both of them as necessary to perform an attack.
 
 You can leverage the CVSS vectors of the previous 2 vulnerabilities that we scored.
 
+<br><br>
+
 #### Vulnerability 1
 
 Unauthenticated attacker can list registered users of a SaaS offering (username and userid).
 
+<br><br>
+
 #### Vulnerability 2
 
 A malicious SaaS user with knowledge of another user’s unique 128-bit userid, can read all the information (e.g. details, activity, messages) for that user through an Authorization bypass in the API.
 
+<br><br>
+
 #### Impact
 
-The attacker is now able to read the information for all users.
\ No newline at end of file
+The attacker is now able to read the information for all users.
+
+<br><br>
diff --git a/trainingportal/static/lessons/cvss/cvss_5_chain.sol.md b/trainingportal/static/lessons/cvss/cvss_5_chain.sol.md
index 48f24f68..7fbb12b9 100644
--- a/trainingportal/static/lessons/cvss/cvss_5_chain.sol.md
+++ b/trainingportal/static/lessons/cvss/cvss_5_chain.sol.md
@@ -8,6 +8,8 @@ High-level analysis:
 
 ---
 
+CVSS:
+
 - Attack Vector: Network (N)
 - Attack Complexity: Low (L)
 - Attack Requirements: None (N)

From 2f8bf1871ddbe5d3cbc6b554b47e562ac3c37c6c Mon Sep 17 00:00:00 2001
From: martindg <4148719+martindg@users.noreply.github.com>
Date: Thu, 28 Aug 2025 15:32:37 +0300
Subject: [PATCH 12/21] CVSS Score 3

---
 trainingportal/qna.js                         |  6 ++++-
 .../static/lessons/cvss/cvss_6_score_3.md     | 21 ++++++++++++++++++
 .../static/lessons/cvss/cvss_6_score_3.sol.md | 22 +++++++++++++++++++
 .../static/lessons/cvss/definitions.json      |  9 ++++++++
 4 files changed, 57 insertions(+), 1 deletion(-)
 create mode 100644 trainingportal/static/lessons/cvss/cvss_6_score_3.md
 create mode 100644 trainingportal/static/lessons/cvss/cvss_6_score_3.sol.md

diff --git a/trainingportal/qna.js b/trainingportal/qna.js
index f1d71627..91d35d23 100644
--- a/trainingportal/qna.js
+++ b/trainingportal/qna.js
@@ -243,6 +243,9 @@ let cvss_5_chain = () => {
   return {"digest": getDigest("CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N")};
 }
 
+let cvss_6_score_3 = () => {
+  return {"digest": getDigest("CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N")};
+}
 const DEFS = {
   "crypto_caesar": caesarEnc,
   "crypto_vigenere": vigenereEnc,
@@ -254,7 +257,8 @@ const DEFS = {
   "crypto_analysis": analysisEnc,
   "cvss_3_score_1": cvss_3_score_1,
   "cvss_4_score_2": cvss_4_score_2,
-  "cvss_5_chain": cvss_5_chain
+  "cvss_5_chain": cvss_5_chain,
+  "cvss_6_score_3": cvss_6_score_3
 }
 
 module.exports = {
diff --git a/trainingportal/static/lessons/cvss/cvss_6_score_3.md b/trainingportal/static/lessons/cvss/cvss_6_score_3.md
new file mode 100644
index 00000000..659d3e85
--- /dev/null
+++ b/trainingportal/static/lessons/cvss/cvss_6_score_3.md
@@ -0,0 +1,21 @@
+### Task
+
+Score the following scenario using the CVSS v4.0 calculator [https://www.first.org/cvss/calculator/4-0](https://www.first.org/cvss/calculator/4-0).
+
+<br><br>
+
+### Scenario
+
+The company "PCGamingCompany.insecure.example" offers computer games to its customers. The service offers an easy sign up for new customers.
+
+From a technical standpoint, they have a web client and a desktop client. In order for customers to play games, they have to download the desktop client and log into their account.
+
+<br><br>
+
+#### Vulnerability
+
+An authenticated attacker can leverage an Authorization bypass in the API and see all the games owned by a particular user.
+
+**Note:** For this example we can assume that userids are easily guessable. This is an issue on its own, but is out of scope for this example.
+
+<br><br>
\ No newline at end of file
diff --git a/trainingportal/static/lessons/cvss/cvss_6_score_3.sol.md b/trainingportal/static/lessons/cvss/cvss_6_score_3.sol.md
new file mode 100644
index 00000000..b84e46dc
--- /dev/null
+++ b/trainingportal/static/lessons/cvss/cvss_6_score_3.sol.md
@@ -0,0 +1,22 @@
+High-level analysis:
+
+- Prerequisites:
+    - None. Even if from technical point of view the API does require authentication, it is easy for an attacker to obtain a normal account and leverage that. Per the [CVSS Specification](https://www.first.org/cvss/v4-0/specification-document#Privileges-Required-PR): "Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack".
+- Impact:
+    - Some non-sensitive data are exposed
+
+---
+
+CVSS:
+
+- Attack Vector: Network (N)
+- Attack Complexity: Low (L)
+- Attack Requirements: None (N)
+- Privileges Required: None (N)
+- User Interaction: None (N)
+- Vulnerable SystemConfidentiality: Low (L)
+- Vulnerable System Integrity: None (N)
+- Vulnerable System Availability: None (N)
+- Subsequent System Confidentiality: None (N)
+- Subsequent System Integrity: None (N)
+- Subsequent System Availability: None (N)
\ No newline at end of file
diff --git a/trainingportal/static/lessons/cvss/definitions.json b/trainingportal/static/lessons/cvss/definitions.json
index 8de6d6bc..1a555845 100644
--- a/trainingportal/static/lessons/cvss/definitions.json
+++ b/trainingportal/static/lessons/cvss/definitions.json
@@ -85,6 +85,15 @@
                 "type":"quiz",
                 "mission":"Enter the CVSS v4 string (Base Score)",
                 "codeBlockIds":[]
+            },
+            {
+                "id":"cvss_6_score_3",
+                "name":"Score Vulnerability 3",
+                "description": "cvss_6_score_3.md",
+                "solution": "cvss_6_score_3.sol.md",
+                "type":"quiz",
+                "mission":"Enter the CVSS v4 string (Base Score)",
+                "codeBlockIds":[]
             }
         ]
     }

From 61cef0bf59a9b23717163f789abfca0b4bf27cfb Mon Sep 17 00:00:00 2001
From: martindg <4148719+martindg@users.noreply.github.com>
Date: Thu, 28 Aug 2025 17:12:15 +0300
Subject: [PATCH 13/21] CVSS Score 4

---
 trainingportal/qna.js                         |  8 ++++++-
 .../static/lessons/cvss/cvss_7_score_4.md     | 21 +++++++++++++++++
 .../static/lessons/cvss/cvss_7_score_4.sol.md | 23 +++++++++++++++++++
 .../static/lessons/cvss/definitions.json      |  9 ++++++++
 4 files changed, 60 insertions(+), 1 deletion(-)
 create mode 100644 trainingportal/static/lessons/cvss/cvss_7_score_4.md
 create mode 100644 trainingportal/static/lessons/cvss/cvss_7_score_4.sol.md

diff --git a/trainingportal/qna.js b/trainingportal/qna.js
index 91d35d23..6227c02c 100644
--- a/trainingportal/qna.js
+++ b/trainingportal/qna.js
@@ -246,6 +246,11 @@ let cvss_5_chain = () => {
 let cvss_6_score_3 = () => {
   return {"digest": getDigest("CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N")};
 }
+
+let cvss_7_score_4 = () => {
+  return {"digest": getDigest("CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N")};
+}
+
 const DEFS = {
   "crypto_caesar": caesarEnc,
   "crypto_vigenere": vigenereEnc,
@@ -258,7 +263,8 @@ const DEFS = {
   "cvss_3_score_1": cvss_3_score_1,
   "cvss_4_score_2": cvss_4_score_2,
   "cvss_5_chain": cvss_5_chain,
-  "cvss_6_score_3": cvss_6_score_3
+  "cvss_6_score_3": cvss_6_score_3,
+  "cvss_7_score_4": cvss_7_score_4
 }
 
 module.exports = {
diff --git a/trainingportal/static/lessons/cvss/cvss_7_score_4.md b/trainingportal/static/lessons/cvss/cvss_7_score_4.md
new file mode 100644
index 00000000..ac680726
--- /dev/null
+++ b/trainingportal/static/lessons/cvss/cvss_7_score_4.md
@@ -0,0 +1,21 @@
+### Task
+
+Score the following scenario using the CVSS v4.0 calculator [https://www.first.org/cvss/calculator/4-0](https://www.first.org/cvss/calculator/4-0).
+
+<br><br>
+
+### Scenario
+
+The company "PCGamingCompany.insecure.example" offers computer games to its customers. The service offers an easy sign up for new customers.
+
+From a technical standpoint, they have a web client and a desktop client. In order for customers to play games, they have to download the desktop client and log into their account.
+
+<br><br>
+
+#### Vulnerability
+
+An authenticated attacker can leverage an Authorization bypass in a development debug API that got into production to read arbitrary files on the filesystem of a victim with installed desktop client.
+
+**Note:** For this example we can assume that userids are easily guessable. This is an issue on its own, but is out of scope for this example.
+
+<br><br>
\ No newline at end of file
diff --git a/trainingportal/static/lessons/cvss/cvss_7_score_4.sol.md b/trainingportal/static/lessons/cvss/cvss_7_score_4.sol.md
new file mode 100644
index 00000000..4d527346
--- /dev/null
+++ b/trainingportal/static/lessons/cvss/cvss_7_score_4.sol.md
@@ -0,0 +1,23 @@
+High-level analysis:
+
+- Prerequisites:
+    - None. Even if from technical point of view the API does require authentication, it is easy for an attacker to obtain a normal account and leverage that. Per the [CVSS Specification](https://www.first.org/cvss/v4-0/specification-document#Privileges-Required-PR): "Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack".
+- Impact:
+    - There is High impact on Confidentiality as all files on the victim's machine can be read by the attacker.
+        - While the attacker leverages the Vulnerable System (i.e. the Web API), the impact is on a Subsequent System (i.e. the victim's machine), so we have a change of scope and impact on Subsequent System
+
+---
+
+CVSS:
+
+- Attack Vector: Network (N)
+- Attack Complexity: Low (L)
+- Attack Requirements: None (N)
+- Privileges Required: None (N)
+- User Interaction: None (N)
+- Vulnerable System Confidentiality: None (N)
+- Vulnerable System Integrity: None (N)
+- Vulnerable System Availability: None (N)
+- Subsequent System Confidentiality: High (H)
+- Subsequent System Integrity: None (N)
+- Subsequent System Availability: None (N)
diff --git a/trainingportal/static/lessons/cvss/definitions.json b/trainingportal/static/lessons/cvss/definitions.json
index 1a555845..073ed6a8 100644
--- a/trainingportal/static/lessons/cvss/definitions.json
+++ b/trainingportal/static/lessons/cvss/definitions.json
@@ -94,6 +94,15 @@
                 "type":"quiz",
                 "mission":"Enter the CVSS v4 string (Base Score)",
                 "codeBlockIds":[]
+            },
+            {
+                "id":"cvss_7_score_4",
+                "name":"Score Vulnerability 4",
+                "description": "cvss_7_score_4.md",
+                "solution": "cvss_7_score_4.sol.md",
+                "type":"quiz",
+                "mission":"Enter the CVSS v4 string (Base Score)",
+                "codeBlockIds":[]
             }
         ]
     }

From 144131faa967c6fd39a23e82767c0ed3ad1b9957 Mon Sep 17 00:00:00 2001
From: martindg <4148719+martindg@users.noreply.github.com>
Date: Thu, 28 Aug 2025 17:46:26 +0300
Subject: [PATCH 14/21] CVSS Score 5

---
 trainingportal/qna.js                         |  7 +++++-
 .../static/lessons/cvss/cvss_8_score_5.md     | 19 +++++++++++++++
 .../static/lessons/cvss/cvss_8_score_5.sol.md | 24 +++++++++++++++++++
 .../static/lessons/cvss/definitions.json      |  9 +++++++
 4 files changed, 58 insertions(+), 1 deletion(-)
 create mode 100644 trainingportal/static/lessons/cvss/cvss_8_score_5.md
 create mode 100644 trainingportal/static/lessons/cvss/cvss_8_score_5.sol.md

diff --git a/trainingportal/qna.js b/trainingportal/qna.js
index 6227c02c..8553e9b1 100644
--- a/trainingportal/qna.js
+++ b/trainingportal/qna.js
@@ -251,6 +251,10 @@ let cvss_7_score_4 = () => {
   return {"digest": getDigest("CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N")};
 }
 
+let cvss_8_score_5 = () => {
+  return {"digest": getDigest("CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N")};
+}
+
 const DEFS = {
   "crypto_caesar": caesarEnc,
   "crypto_vigenere": vigenereEnc,
@@ -264,7 +268,8 @@ const DEFS = {
   "cvss_4_score_2": cvss_4_score_2,
   "cvss_5_chain": cvss_5_chain,
   "cvss_6_score_3": cvss_6_score_3,
-  "cvss_7_score_4": cvss_7_score_4
+  "cvss_7_score_4": cvss_7_score_4,
+  "cvss_8_score_5": cvss_8_score_5
 }
 
 module.exports = {
diff --git a/trainingportal/static/lessons/cvss/cvss_8_score_5.md b/trainingportal/static/lessons/cvss/cvss_8_score_5.md
new file mode 100644
index 00000000..da307a4c
--- /dev/null
+++ b/trainingportal/static/lessons/cvss/cvss_8_score_5.md
@@ -0,0 +1,19 @@
+### Task
+
+Score the following scenario using the CVSS v4.0 calculator [https://www.first.org/cvss/calculator/4-0](https://www.first.org/cvss/calculator/4-0).
+
+<br><br>
+
+### Scenario
+
+The company "PCGamingCompany.insecure.example" offers computer games to its customers. The service offers an easy sign up for new customers.
+
+From a technical standpoint, they have a web client and a desktop client. In order for customers to play games, they have to download the desktop client and log into their account.
+
+<br><br>
+
+#### Vulnerability
+
+An attacker can cause a denial of service impact on the telemetry service by providing specially crafted data. The attacker can maliciously change the filename of a locally available game (installed by the gaming desktop client). The desktop client will then try to report this filename and the telemetry service will crash. As a result, customers won't be able to see their gaming statistics, but will still be able to play normally their games.
+
+<br><br>
\ No newline at end of file
diff --git a/trainingportal/static/lessons/cvss/cvss_8_score_5.sol.md b/trainingportal/static/lessons/cvss/cvss_8_score_5.sol.md
new file mode 100644
index 00000000..735ff8ec
--- /dev/null
+++ b/trainingportal/static/lessons/cvss/cvss_8_score_5.sol.md
@@ -0,0 +1,24 @@
+High-level analysis:
+
+- Prerequisites:
+    - None.
+        - Even if from technical point of view the API does require authentication, it is easy for an attacker to obtain a normal account and leverage that. Per the [CVSS Specification](https://www.first.org/cvss/v4-0/specification-document#Privileges-Required-PR): "Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack".
+        - Despite the attacker starting from a local system with the desktop client being installed, they are actually targeting the Vulnerable System (the telemetry API) remotely over the network. It is within the attacker's control the sign up and install the desktop client on a machine they control.
+- Impact:
+    - Non-critical service is impacted
+
+---
+
+CVSS:
+
+- Attack Vector: Network (N)
+- Attack Complexity: Low (L)
+- Attack Requirements: None (N)
+- Privileges Required: None (N)
+- User Interaction: None (N)
+- Vulnerable System Confidentiality: None (N)
+- Vulnerable System Integrity: None (N)
+- Vulnerable System Availability: Low (L)
+- Subsequent System Confidentiality: None (N)
+- Subsequent System Integrity: None (N)
+- Subsequent System Availability: None (N)
diff --git a/trainingportal/static/lessons/cvss/definitions.json b/trainingportal/static/lessons/cvss/definitions.json
index 073ed6a8..21e2efdb 100644
--- a/trainingportal/static/lessons/cvss/definitions.json
+++ b/trainingportal/static/lessons/cvss/definitions.json
@@ -103,6 +103,15 @@
                 "type":"quiz",
                 "mission":"Enter the CVSS v4 string (Base Score)",
                 "codeBlockIds":[]
+            },
+            {
+                "id":"cvss_8_score_5",
+                "name":"Score Vulnerability 5",
+                "description": "cvss_8_score_5.md",
+                "solution": "cvss_8_score_5.sol.md",
+                "type":"quiz",
+                "mission":"Enter the CVSS v4 string (Base Score)",
+                "codeBlockIds":[]
             }
         ]
     }

From d7709a09ec538afdd1ca3d6acd2fd66442270fd4 Mon Sep 17 00:00:00 2001
From: martindg <4148719+martindg@users.noreply.github.com>
Date: Thu, 28 Aug 2025 18:24:49 +0300
Subject: [PATCH 15/21] CVSS Score 6

---
 trainingportal/qna.js                         |  7 ++++-
 .../static/lessons/cvss/cvss_9_score_6.md     | 21 +++++++++++++++
 .../static/lessons/cvss/cvss_9_score_6.sol.md | 26 +++++++++++++++++++
 .../static/lessons/cvss/definitions.json      |  9 +++++++
 4 files changed, 62 insertions(+), 1 deletion(-)
 create mode 100644 trainingportal/static/lessons/cvss/cvss_9_score_6.md
 create mode 100644 trainingportal/static/lessons/cvss/cvss_9_score_6.sol.md

diff --git a/trainingportal/qna.js b/trainingportal/qna.js
index 8553e9b1..268909e6 100644
--- a/trainingportal/qna.js
+++ b/trainingportal/qna.js
@@ -255,6 +255,10 @@ let cvss_8_score_5 = () => {
   return {"digest": getDigest("CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N")};
 }
 
+let cvss_9_score_6 = () => {
+  return {"digest": getDigest("CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N")};
+}
+
 const DEFS = {
   "crypto_caesar": caesarEnc,
   "crypto_vigenere": vigenereEnc,
@@ -269,7 +273,8 @@ const DEFS = {
   "cvss_5_chain": cvss_5_chain,
   "cvss_6_score_3": cvss_6_score_3,
   "cvss_7_score_4": cvss_7_score_4,
-  "cvss_8_score_5": cvss_8_score_5
+  "cvss_8_score_5": cvss_8_score_5,
+  "cvss_9_score_6": cvss_9_score_6
 }
 
 module.exports = {
diff --git a/trainingportal/static/lessons/cvss/cvss_9_score_6.md b/trainingportal/static/lessons/cvss/cvss_9_score_6.md
new file mode 100644
index 00000000..b60a3228
--- /dev/null
+++ b/trainingportal/static/lessons/cvss/cvss_9_score_6.md
@@ -0,0 +1,21 @@
+### Task
+
+Score the following scenario using the CVSS v4.0 calculator [https://www.first.org/cvss/calculator/4-0](https://www.first.org/cvss/calculator/4-0).
+
+<br><br>
+
+### Scenario
+
+The company "PCGamingCompany.insecure.example" offers computer games to its customers. The service offers an easy sign up for new customers.
+
+From a technical standpoint, they have a web client and a desktop client. In order for customers to play games, they have to download the desktop client and log into their account.
+
+<br><br>
+
+#### Vulnerability
+
+A Local Privilege Escalation (LPE) vulnerability was identified in the desktop client. A low-privileged attacker on the machine can trick the gaming client into overwriting any file on the filesystem with attacker provided content by preparing a specially crafted symbolic link.
+
+The attack works by leveraging the upgrade process which uses unsecured temporary folder for storing upgrade files. The desktop client will overwrite any file as a privileged user. As a result, the attacker can become a privileged user on the machine.
+
+<br><br>
\ No newline at end of file
diff --git a/trainingportal/static/lessons/cvss/cvss_9_score_6.sol.md b/trainingportal/static/lessons/cvss/cvss_9_score_6.sol.md
new file mode 100644
index 00000000..7d2d60ec
--- /dev/null
+++ b/trainingportal/static/lessons/cvss/cvss_9_score_6.sol.md
@@ -0,0 +1,26 @@
+High-level analysis:
+
+- Prerequisites:
+    - The attacker needs to have a local access as a low-privileg user on the system they want to gain privileges on
+- Impact:
+    - Complete compromise of the system where the gaming desktop client is installed
+        - **NOTE**: There is no change of scope here from a Vulnerable System to a Subsequent System.
+            - This case is covered in the [CVSS User Guide](https://www.first.org/cvss/v4-0/user-guide#Vulnerable-System-and-Subsequent-System) (PDF reader example).
+            - The gaming desktop client does not have its own local Authorization and Authentication functionality.
+            - However, the product makes the customer insecure as it provides an LPE attack surface.
+
+---
+
+CVSS:
+
+- Attack Vector(AV): Local (L)
+- Attack Complexity (AC): Low (L)
+- Attack Requirements (AT): None (N)
+- Privileges Required (PR): Low (L)
+- User Interaction (UI): None (N)
+- Vulnerable System Confidentiality(VC): High (H)
+- Vulnerable System Integrity (VI): High (H)
+- Vulnerable System Availability (VA): High (H)
+- Subsequent System Confidentiality (SC): None (N)
+- Subsequent System Integrity (SI): None (N)
+- Subsequent System Availability (SA): None (N)
\ No newline at end of file
diff --git a/trainingportal/static/lessons/cvss/definitions.json b/trainingportal/static/lessons/cvss/definitions.json
index 21e2efdb..ab53d6af 100644
--- a/trainingportal/static/lessons/cvss/definitions.json
+++ b/trainingportal/static/lessons/cvss/definitions.json
@@ -112,6 +112,15 @@
                 "type":"quiz",
                 "mission":"Enter the CVSS v4 string (Base Score)",
                 "codeBlockIds":[]
+            },
+            {
+                "id":"cvss_9_score_6",
+                "name":"Score Vulnerability 6",
+                "description": "cvss_9_score_6.md",
+                "solution": "cvss_9_score_6.sol.md",
+                "type":"quiz",
+                "mission":"Enter the CVSS v4 string (Base Score)",
+                "codeBlockIds":[]
             }
         ]
     }

From cff8fb4bb84712e483ab4815bc3615ef2ff0ea54 Mon Sep 17 00:00:00 2001
From: martindg <4148719+martindg@users.noreply.github.com>
Date: Thu, 28 Aug 2025 18:26:36 +0300
Subject: [PATCH 16/21] Minor improvements

---
 trainingportal/static/lessons/cvss/cvss_1_intro.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/trainingportal/static/lessons/cvss/cvss_1_intro.md b/trainingportal/static/lessons/cvss/cvss_1_intro.md
index 2448bd8b..8ae7763d 100644
--- a/trainingportal/static/lessons/cvss/cvss_1_intro.md
+++ b/trainingportal/static/lessons/cvss/cvss_1_intro.md
@@ -150,6 +150,8 @@ CVSS Base metrics go into 2 broad categories:
             - [regreSSHion CVE-2024-6387](https://www.first.org/cvss/v4-0/examples#regreSSHion-CVE-2024-6387)
                 - Attackers must defeat memory safety defenses in order to achieve code execution
 
+**NOTE**: It is important to note that Attack Complexity is **not** related to exploit complexity. A proof-of-concept for exploiting a vulnerability may be a sophisticated piece of code itself, but that does not necessarily have effect on the Attack Complexity metric. You should ask not "How hard would it be for someone to design the exploit code?", but instead ask "How hard would it be for someone having access to the exploit code to overcome the security conditions in order for this attack to work?"
+
 #### [Attack Requirements (AT)](https://www.first.org/cvss/v4-0/specification-document#Attack-Requirements-AT)
 
 - **Question**: Are there any non-security-specific conditions that need to be overcome?
@@ -226,7 +228,7 @@ Impact is only measured in terms of what is gained by exploiting a vulnerability
 
 CVSS v4 introduces separate impact scores for the Vulnerable (`V`) system and Subsequent (`S`) systems (previously in CVSS v3 this used to be marked by a Scope (`S`) metric).
 
-The CVSS documentation includes a [User Guide](https://www.first.org/cvss/v4-0/user-guide#Vulnerable-System-and-Subsequent-System) with some examples on scope scoring.
+The CVSS documentation includes a [CVSS User Guide](https://www.first.org/cvss/v4-0/user-guide#Vulnerable-System-and-Subsequent-System) with some examples on scope scoring.
 
 Examples of change of scope (vulnerable to subsequent) for impact:
 

From 1cbccdce3cf728cdcd1a34f428492e9e6d00b3fc Mon Sep 17 00:00:00 2001
From: martindg <4148719+martindg@users.noreply.github.com>
Date: Thu, 28 Aug 2025 18:26:36 +0300
Subject: [PATCH 17/21] Minor improvements

---
 trainingportal/static/lessons/cvss/cvss_1_intro.md |  4 +++-
 .../static/lessons/cvss/cvss_3_score_1.sol.md      |  2 +-
 .../static/lessons/cvss/definitions.json           | 14 +++++++-------
 3 files changed, 11 insertions(+), 9 deletions(-)

diff --git a/trainingportal/static/lessons/cvss/cvss_1_intro.md b/trainingportal/static/lessons/cvss/cvss_1_intro.md
index 2448bd8b..8ae7763d 100644
--- a/trainingportal/static/lessons/cvss/cvss_1_intro.md
+++ b/trainingportal/static/lessons/cvss/cvss_1_intro.md
@@ -150,6 +150,8 @@ CVSS Base metrics go into 2 broad categories:
             - [regreSSHion CVE-2024-6387](https://www.first.org/cvss/v4-0/examples#regreSSHion-CVE-2024-6387)
                 - Attackers must defeat memory safety defenses in order to achieve code execution
 
+**NOTE**: It is important to note that Attack Complexity is **not** related to exploit complexity. A proof-of-concept for exploiting a vulnerability may be a sophisticated piece of code itself, but that does not necessarily have effect on the Attack Complexity metric. You should ask not "How hard would it be for someone to design the exploit code?", but instead ask "How hard would it be for someone having access to the exploit code to overcome the security conditions in order for this attack to work?"
+
 #### [Attack Requirements (AT)](https://www.first.org/cvss/v4-0/specification-document#Attack-Requirements-AT)
 
 - **Question**: Are there any non-security-specific conditions that need to be overcome?
@@ -226,7 +228,7 @@ Impact is only measured in terms of what is gained by exploiting a vulnerability
 
 CVSS v4 introduces separate impact scores for the Vulnerable (`V`) system and Subsequent (`S`) systems (previously in CVSS v3 this used to be marked by a Scope (`S`) metric).
 
-The CVSS documentation includes a [User Guide](https://www.first.org/cvss/v4-0/user-guide#Vulnerable-System-and-Subsequent-System) with some examples on scope scoring.
+The CVSS documentation includes a [CVSS User Guide](https://www.first.org/cvss/v4-0/user-guide#Vulnerable-System-and-Subsequent-System) with some examples on scope scoring.
 
 Examples of change of scope (vulnerable to subsequent) for impact:
 
diff --git a/trainingportal/static/lessons/cvss/cvss_3_score_1.sol.md b/trainingportal/static/lessons/cvss/cvss_3_score_1.sol.md
index 72db7214..79ba72a7 100644
--- a/trainingportal/static/lessons/cvss/cvss_3_score_1.sol.md
+++ b/trainingportal/static/lessons/cvss/cvss_3_score_1.sol.md
@@ -3,7 +3,7 @@ High-level analysis:
 - Prerequisites:
     - None
 - Impact:
-    - Some limited amount data is exposed
+    - Some limited amount of data is exposed
 
 ---
 
diff --git a/trainingportal/static/lessons/cvss/definitions.json b/trainingportal/static/lessons/cvss/definitions.json
index ab53d6af..e218ce51 100644
--- a/trainingportal/static/lessons/cvss/definitions.json
+++ b/trainingportal/static/lessons/cvss/definitions.json
@@ -65,7 +65,7 @@
                 "description": "cvss_3_score_1.md",
                 "solution": "cvss_3_score_1.sol.md",
                 "type":"quiz",
-                "mission":"Enter the CVSS v4 string (Base Score)",
+                "mission":"Enter the CVSS v4 Vector string (i.e. CVSS:4.0/AV:x/AC:x/AT:x/PR:x/UI:x/VC:x/VI:x/VA:x/SC:x/SI:x/SA:x) which can be copied by clicking on the green CVSS Vector box in the CVSS calculator",
                 "codeBlockIds":[]
             },
             {
@@ -74,7 +74,7 @@
                 "description": "cvss_4_score_2.md",
                 "solution": "cvss_4_score_2.sol.md",
                 "type":"quiz",
-                "mission":"Enter the CVSS v4 string (Base Score)",
+                "mission":"Enter the CVSS v4 Vector string (i.e. CVSS:4.0/AV:x/AC:x/AT:x/PR:x/UI:x/VC:x/VI:x/VA:x/SC:x/SI:x/SA:x) which can be copied by clicking on the green CVSS Vector box in the CVSS calculator",
                 "codeBlockIds":[]
             },
             {
@@ -83,7 +83,7 @@
                 "description": "cvss_5_chain.md",
                 "solution": "cvss_5_chain.sol.md",
                 "type":"quiz",
-                "mission":"Enter the CVSS v4 string (Base Score)",
+                "mission":"Enter the CVSS v4 Vector string (i.e. CVSS:4.0/AV:x/AC:x/AT:x/PR:x/UI:x/VC:x/VI:x/VA:x/SC:x/SI:x/SA:x) which can be copied by clicking on the green CVSS Vector box in the CVSS calculator",
                 "codeBlockIds":[]
             },
             {
@@ -92,7 +92,7 @@
                 "description": "cvss_6_score_3.md",
                 "solution": "cvss_6_score_3.sol.md",
                 "type":"quiz",
-                "mission":"Enter the CVSS v4 string (Base Score)",
+                "mission":"Enter the CVSS v4 Vector string (i.e. CVSS:4.0/AV:x/AC:x/AT:x/PR:x/UI:x/VC:x/VI:x/VA:x/SC:x/SI:x/SA:x) which can be copied by clicking on the green CVSS Vector box in the CVSS calculator",
                 "codeBlockIds":[]
             },
             {
@@ -101,7 +101,7 @@
                 "description": "cvss_7_score_4.md",
                 "solution": "cvss_7_score_4.sol.md",
                 "type":"quiz",
-                "mission":"Enter the CVSS v4 string (Base Score)",
+                "mission":"Enter the CVSS v4 Vector string (i.e. CVSS:4.0/AV:x/AC:x/AT:x/PR:x/UI:x/VC:x/VI:x/VA:x/SC:x/SI:x/SA:x) which can be copied by clicking on the green CVSS Vector box in the CVSS calculator",
                 "codeBlockIds":[]
             },
             {
@@ -110,7 +110,7 @@
                 "description": "cvss_8_score_5.md",
                 "solution": "cvss_8_score_5.sol.md",
                 "type":"quiz",
-                "mission":"Enter the CVSS v4 string (Base Score)",
+                "mission":"Enter the CVSS v4 Vector string (i.e. CVSS:4.0/AV:x/AC:x/AT:x/PR:x/UI:x/VC:x/VI:x/VA:x/SC:x/SI:x/SA:x) which can be copied by clicking on the green CVSS Vector box in the CVSS calculator",
                 "codeBlockIds":[]
             },
             {
@@ -119,7 +119,7 @@
                 "description": "cvss_9_score_6.md",
                 "solution": "cvss_9_score_6.sol.md",
                 "type":"quiz",
-                "mission":"Enter the CVSS v4 string (Base Score)",
+                "mission":"Enter the CVSS v4 Vector string (i.e. CVSS:4.0/AV:x/AC:x/AT:x/PR:x/UI:x/VC:x/VI:x/VA:x/SC:x/SI:x/SA:x) which can be copied by clicking on the green CVSS Vector box in the CVSS calculator",
                 "codeBlockIds":[]
             }
         ]

From 16730b78f839782e6e0ab7b2c32f0e10015f885e Mon Sep 17 00:00:00 2001
From: paul-ion <pentesq@gmail.com>
Date: Tue, 2 Sep 2025 16:31:37 +0000
Subject: [PATCH 18/21] Fix unit test

---
 trainingportal/test/qna.test.js | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/trainingportal/test/qna.test.js b/trainingportal/test/qna.test.js
index d085ef34..30c6e1fe 100644
--- a/trainingportal/test/qna.test.js
+++ b/trainingportal/test/qna.test.js
@@ -20,6 +20,8 @@ describe("qna", () => {
     test("true for correct code",()=>{
       let text = "plain text";
       for(let alg in qna.DEFS){
+        
+        if(alg.startsWith("crypto") == false) continue;
         if(alg === "crypto_analysis") continue;
         let res = qna.getCode(alg,text);        
         let check = qna.checkCode(text, res.digest);

From bbcff8680e482031f82566a95d3cd3fa2dc73b2c Mon Sep 17 00:00:00 2001
From: paul-ion <pentesq@gmail.com>
Date: Tue, 2 Sep 2025 18:46:20 +0000
Subject: [PATCH 19/21] Update the lesson count

---
 trainingportal/static/lessons/modules.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/trainingportal/static/lessons/modules.json b/trainingportal/static/lessons/modules.json
index 46a4b336..ef661031 100644
--- a/trainingportal/static/lessons/modules.json
+++ b/trainingportal/static/lessons/modules.json
@@ -18,7 +18,7 @@
         "name":"Vulnerability Investigator",
         "summary":"Understanding vulnerability severity",
         "description":"This module covers the most important aspects of the Common Vulnerability Scoring System (CVSS)",
-        "description2": "Includes <TBD> lessons. Estimated duration 2 hours.",
+        "description2": "Includes 9 lessons. Estimated duration 2 hours.",
         "badgeInfo":{
             "line1":"Secure Coding Dojo",
             "line2":"Vulnerability Investigator",

From f89c15062114ac0d4caf07fcb27185d32e642784 Mon Sep 17 00:00:00 2001
From: paul-ion <pentesq@gmail.com>
Date: Tue, 2 Sep 2025 21:33:57 +0000
Subject: [PATCH 20/21] Print "Vulnerability Investigator" on two lines

---
 trainingportal/static/lessons/modules.json | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/trainingportal/static/lessons/modules.json b/trainingportal/static/lessons/modules.json
index ef661031..4ef9b00c 100644
--- a/trainingportal/static/lessons/modules.json
+++ b/trainingportal/static/lessons/modules.json
@@ -21,8 +21,8 @@
         "description2": "Includes 9 lessons. Estimated duration 2 hours.",
         "badgeInfo":{
             "line1":"Secure Coding Dojo",
-            "line2":"Vulnerability Investigator",
-            "line3":"",
+            "line2":"Vulnerability",
+            "line3":"Investigator",
             "bg":"darkorange"
         },
         "requiredModules":[]

From 0ac204d6be9312f851e2e285d942ee52a438cd54 Mon Sep 17 00:00:00 2001
From: Martin Georgiev <4148719+martindg@users.noreply.github.com>
Date: Wed, 10 Sep 2025 14:06:58 +0000
Subject: [PATCH 21/21] Fix Integrity typo

---
 trainingportal/static/lessons/cvss/cvss_1_intro.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/trainingportal/static/lessons/cvss/cvss_1_intro.md b/trainingportal/static/lessons/cvss/cvss_1_intro.md
index 8ae7763d..e4986d0b 100644
--- a/trainingportal/static/lessons/cvss/cvss_1_intro.md
+++ b/trainingportal/static/lessons/cvss/cvss_1_intro.md
@@ -261,7 +261,7 @@ Examples of change of scope (vulnerable to subsequent) for impact:
     - None (`N`)
         - No impact
     - Low (`L`)
-        - Read access to some restricted data:
+        - Write access to some restricted data:
             - No control over which data
             - Amount/kind is limited
         - **Examples**: