Definition severity level
The severity level can be determined using the Common Vulnerability Scoring System (CVSS). The FIRST (Forum of Incident Response and Security Teams) website provides an interactive tool for this purpose: https://www.first.org/cvss/calculator/3.0.
Critical (CVSS v3 score: 9.0-10.0): Critical incidents typically do not require any interaction by the person targeted. Accordingly, an attacker does not need any special knowledge about a target. Remote code execution is typical for a critical incident. Repercussions include the outflow of personal data or the loss of anonymity.
High (CVSS v3 score 7.0-8.9): User actions (social engineering) are necessary for successful exploitation. The attacker can thus gain extensive privileges. Repercussions can include data outflows here too.
Medium (CVSS v3 score: 4.0-6.9): Only limited access is gained in the event of exploitation. Moreover, the attacker must be in the same system as the victim. Data is not affected or only to a limited extent.
Low (CVSS v3 score: 0.1-3.9): Functionality and data are not affected. Layout errors and spelling mistakes are also in this category.