CVE-2025-67634

Software Acquisition Guide Supplier Response Web Tool XSS

CVSS 4.6 MEDIUMEPSS 0.2%CWE-79

Vexday Risk Score

13Baixo

Decisão SSVC (CISA)

Track

Sem sinal de exploração → monitorar

CVSS 4.6EPSS 0.2%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

12 dez 2025Publicada no NVD

Recomendação: Monitorar — sem sinal de exploração no momento.

The CISA Software Acquisition Guide Supplier Response Web Tool before 2025-12-11 was vulnerable to cross-site scripting via text fields. If an attacker could convince a user to import a specially-crafted JSON file, the Tool would load JavaScript from the file into the page. The JavaScript would execute in the context of the user's browser when the user submits the page (clicks 'Next').

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Produtos afetados

CISA · Software Acquisition Guide Tool

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-345-01.json https://www.cisa.gov/software-acquisition-guide/tool https://www.cve.org/CVERecord?id=CVE-2025-67634