The CISA Software Acquisition Guide Supplier Response Web Tool before 2025-12-11 was vulnerable to cross-site scripting via text fields. If an attacke

BROWSER

15-12-2025 23:27

CVE-2025-67634 Vulnerabilidad documentada

Sin puntuación

Tags

#site

#cross

#web

#javascript

#java

#cross-site

#browser

#cross-site scripting

#vulnerable

#scripting

#execute

#attack

Descripción

The CISA Software Acquisition Guide Supplier Response Web Tool before 2025-12-11 was vulnerable to cross-site scripting via text fields. If an attacker could convince a user import specially-crafted JSON file, the would load JavaScript from file into page. The execute in context of user's browser when submits page (clicks 'Next').

https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-345-01.json

https://www.cisa.gov/software-acquisition-guide/tool

https://www.cve.org/CVERecord?id=CVE-2025-67634

Referencia

CVE-2025-67634

Link externo

Ver detalles

Fuente

https://nvd.nist.gov/vuln/detail/CVE-2025-67634

Resultados similares

Coincidentes en almenos en 50% de los tags

15-12-2025 CVE-2025-34412
The Convercent Whistleblowing Platform operated by EQS Group contains a protection mechanism fa...
Ver información

15-12-2025 CVE-2025-37732
Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) a...
Ver información