Home

Description

The CISA Software Acquisition Guide Supplier Response Web Tool before 2025-12-11 was vulnerable to cross-site scripting via text fields. If an attacker could convince a user to import a specially-crafted JSON file, the Tool would load JavaScript from the file into the page. The JavaScript would execute in the context of the user's browser when the user submits the page (clicks 'Next').

PUBLISHED Reserved 2025-12-09 | Published 2025-12-12 | Updated 2025-12-12 | Assigner cisa-cg




MEDIUM: 4.6CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
MEDIUM: 4.4CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Problem types

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

Default status
unknown

Any version before 2025-12-11
affected

2025-12-11
unaffected

Credits

Jeff Williams, Contrast Security

References

www.cisa.gov/software-acquisition-guide/tool (url) product

raw.githubusercontent.com/...IT/white/2025/va-25-345-01.json (url) government-resource third-party-advisory

www.cve.org/CVERecord?id=CVE-2025-67634 (url)

cve.org (CVE-2025-67634)

nvd.nist.gov (CVE-2025-67634)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.