National Cyber Warfare Foundation (NCWF)

CISA s secure-software buying tool had a simple XSS vulnerability of its own
0 user ratings		2026-01-15 22:53:38
milo
Blue Team (CND)

A researcher who discovered the vulnerability said it was fixed in December, after he first reported it to the agency in September.


The post CISA’s secure-software buying tool had a simple XSS vulnerability of its own appeared first on CyberScoop.



A Cybersecurity and Infrastructure Security Agency tool dedicated to helping government agencies buy secure software turned out to have a cybersecurity vulnerability of its own.





Jeff Williams, the former leader of the Open Worldwide Application Security Project (OWASP), told CyberScoop that he discovered a cross-site scripting vulnerability in CISA’s “Software Acquisition Guide: Supplier Response Web Tool” and reported it to CISA in September, before it was eventually fixed in December.





The vulnerability involves attackers injecting JavaScript into a web page, then getting that JavaScript to attack other users of that same page, he said. It also could have been used to deface the website, he said.





Williams, co-founder and chief technology officer of the application security firm Contrast Security, said it should have been easy for someone to spot the vulnerability at CISA, since it was the first attack he tried.





“I thought it was a little hypocritical to be promoting secure software development and not do the most basic test you could possibly do,” he said.





When Williams first reported the flaw through a bug bounty program, they rejected it as not critical enough, but he later got attention to the flaw from CISA’s Vulnerability Information and Coordination Environment program. The government shutdown contributed to the delay in fixing it, but Williams said it should’ve been just five minutes of work.





Williams said that while there are worse bugs than the one he uncovered, “I have customers that would treat this vulnerability as incredibly serious, because they take their reputation to be one of their most important assets.”





CISA’s role as an evangelist for cybersecurity hasn’t made it immune to cyberattacks. Notably, the agency identified a breach in 2024 that triggered a notification to Congress.





The chief information officer for CISA, Robert Costello, said the agency took action after receiving notification about a potential vulnerability.





“As per protocol, we addressed and patched the vulnerability, ensuring there was no significant risk or known exploitation,” he said in a statement to CyberScoop. “Additionally, our team identified process improvements for future vulnerabilities reported to the agency. As a champion for the CVE [Common Vulnerabilities and Exposures] program, CISA followed the standard coordinated disclosure processes to create a CVE that documents the vulnerability. CISA appreciates the report provided by this security researcher. This is another example of operational collaboration in action.”


The post CISA’s secure-software buying tool had a simple XSS vulnerability of its own appeared first on CyberScoop.



Source: CyberScoop
Source Link: https://cyberscoop.com/cisa-secure-software-buying-tool-had-a-simple-xss-vulnerability-of-its-own/

Comments
new comment
Nobody has commented yet. Will you be the first?
  
Forum
Blue Team (CND)


Copyright 2012 through 2026 - National Cyber Warfare Foundation - All rights reserved worldwide.