Software Acquisition Guide Supplier Response Web Tool XSS_CVE-2025-67634

4.6 / 10

MEDIUM

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Description

The CISA Software Acquisition Guide Supplier Response Web Tool before 2025-12-11 was vulnerable to cross-site scripting via text fields. If an attacker could convince a user to import a specially-crafted JSON file, the Tool would load JavaScript from the file into the page. The JavaScript would execute in the context of the user's browser when the user submits the page (clicks 'Next').

Basic Information

ID CVE-2025-67634

Source cisa-cg

Published Dec 12, 2025 at 20:36

Affected Product

Vendor CISA

Product Software Acquisition Guide Tool

Affected Versions CISA Software Acquisition Guide Tool 0

CWE Classification

CWE-79

References

{
    "lastseen": "",
    "description": "The CISA Software Acquisition Guide Supplier Response Web Tool before 2025-12-11 was vulnerable to cross-site scripting via text fields. If an attacker could convince a user to import a specially-crafted JSON file, the Tool would load JavaScript from the file into the page. The JavaScript would execute in the context of the user's browser when the user submits the page (clicks 'Next').",
    "published": "2025-12-12T20:36:25.597Z",
    "modified": "2025-12-12T20:36:25.597Z",
    "type": "cve",
    "title": "Software Acquisition Guide Supplier Response Web Tool XSS",
    "source": "cisa-cg",
    "references": "https://www.cisa.gov/software-acquisition-guide/tool\nhttps://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-345-01.json\nhttps://www.cve.org/CVERecord?id=CVE-2025-67634",
    "id": "CVE-2025-67634",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "CISA Software Acquisition Guide Tool 0",
    "sourceHref": "",
    "cvss": {
        "score": 4.6,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Software Acquisition Guide Tool",
    "version": "0",
    "vendor": "CISA",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}