exploitDog

CVE-2025-67634

Опубликовано: 12 дек. 2025

Источник: nvd

CVSS3: 4.4

CVSS3: 6.1

EPSS Низкий

Описание

The CISA Software Acquisition Guide Supplier Response Web Tool before 2025-12-11 was vulnerable to cross-site scripting via text fields. If an attacker could convince a user to import a specially-crafted JSON file, the Tool would load JavaScript from the file into the page. The JavaScript would execute in the context of the user's browser when the user submits the page (clicks 'Next').

Ссылки

https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-345-01.json
Vendor Advisory
https://www.cisa.gov/software-acquisition-guide/tool
Product
https://www.cve.org/CVERecord?id=CVE-2025-67634
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:cisa:software_acquisition_guide:*:*:*:*:*:*:*:*

Версия до 2025-12-11 (исключая)

EPSS

Процентиль: 8%

0.0003

Низкий

4.4 Medium

CVSS3

6.1 Medium

CVSS3

Дефекты

CWE-79

Связанные уязвимости

GHSA-5m87-3r8p-jp6j

CVSS3: 4.4

github

около 2 месяцев назад

The CISA Software Acquisition Guide Supplier Response Web Tool before 2025-12-11 was vulnerable to cross-site scripting via text fields. If an attacker could convince a user to import a specially-crafted JSON file, the Tool would load JavaScript from the file into the page. The JavaScript would execute in the context of the user's browser when the user submits the page (clicks 'Next').

EPSS

Процентиль: 8%

0.0003

Низкий

4.4 Medium

CVSS3

6.1 Medium

CVSS3

Дефекты

CWE-79