Quick question for #infosec people: When assigning a CVSS score for a Stored XSS vulnerability in a web app does it make sense to set scope to changed (S:C) or unchanged (S:U)?

#CVSS