• Home
  • cyber
  • Cybersecurity and Infrastructure Security Agency: CISA’s secure-software buying tool had a simple XSS vulnerability of its own
cyber Vulnerability

Cybersecurity and Infrastructure Security Agency: CISA’s secure-software buying tool had a simple XSS vulnerability of its own

Sep 1, 2023 2 min read
Cybersecurity and Infrastructure Security Agency: CISA’s secure-software buying tool had a simple XSS vulnerability of its own

CISA’s Secure Software Tool Found Vulnerable to XSS Attack

A tool designed by the Cybersecurity and Infrastructure Security Agency (CISA) to help government agencies procure secure software was itself found to contain a cross-site scripting (XSS) vulnerability. The flaw was discovered by Jeff Williams, former leader of OWASP and co-founder of Contrast Security, who reported it to CISA in September 2023.

The vulnerability allowed attackers to inject malicious JavaScript into the Software Acquisition Guide: Supplier Response Web Tool, potentially enabling defacement of the site or attacks on other users. Williams noted that the flaw was basic and should have been easily detected, calling it "hypocritical" for an agency promoting secure software development to overlook such a fundamental issue.

Initially dismissed as non-critical under CISA’s bug bounty program, the vulnerability gained attention through the agency’s Vulnerability Information and Coordination Environment (VIC) program. The fix, which Williams estimated would take only minutes to implement, was delayed until December, partly due to the government shutdown.

CISA’s Chief Information Officer, Robert Costello, confirmed the agency patched the flaw and found no evidence of exploitation. The incident was documented as a CVE, and CISA acknowledged the researcher’s report while citing process improvements for future vulnerability handling.

The discovery follows a separate 2024 breach at CISA, underscoring that even cybersecurity authorities remain targets for attacks.

Source: https://cyberscoop.com/cisa-secure-software-buying-tool-had-a-simple-xss-vulnerability-of-its-own/

Cybersecurity and Infrastructure Security Agency cybersecurity rating report: https://www.rankiteo.com/company/cisagov

"id": "CIS1769475575",
"linkid": "cisagov",
"type": "Vulnerability",
"date": "9/2023",
"severity": "25",
"impact": "1",
"explanation": "Attack without any consequences"
{'affected_entities': [{'customers_affected': 'Government agencies using the '
                                              'tool',
                        'industry': 'Cybersecurity',
                        'location': 'United States',
                        'name': 'Cybersecurity and Infrastructure Security '
                                'Agency (CISA)',
                        'size': 'Large',
                        'type': 'Government Agency'}],
 'attack_vector': 'Cross-Site Scripting (XSS)',
 'date_detected': '2023-09',
 'date_resolved': '2023-12',
 'description': 'A tool designed by the Cybersecurity and Infrastructure '
                'Security Agency (CISA) to help government agencies procure '
                'secure software was itself found to contain a cross-site '
                'scripting (XSS) vulnerability. The flaw was discovered by '
                'Jeff Williams, former leader of OWASP and co-founder of '
                'Contrast Security, who reported it to CISA in September 2023. '
                'The vulnerability allowed attackers to inject malicious '
                'JavaScript into the *Software Acquisition Guide: Supplier '
                'Response Web Tool*, potentially enabling defacement of the '
                'site or attacks on other users.',
 'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
                                       'hypocrisy in promoting secure software '
                                       'development',
            'systems_affected': 'Software Acquisition Guide: Supplier Response '
                                'Web Tool'},
 'investigation_status': 'Resolved',
 'lessons_learned': 'Even cybersecurity authorities are vulnerable to basic '
                    'flaws; importance of thorough vulnerability assessments '
                    'and timely patching.',
 'post_incident_analysis': {'corrective_actions': 'Patch implemented, process '
                                                  'improvements for '
                                                  'vulnerability handling',
                            'root_causes': 'Basic XSS vulnerability overlooked '
                                           'in a tool promoting secure '
                                           'software development'},
 'recommendations': 'Improve vulnerability handling processes, ensure timely '
                    'fixes for reported issues, and maintain consistency in '
                    'secure software development practices.',
 'references': [{'source': 'Jeff Williams (Contrast Security)'},
                {'source': 'CISA Statement'}],
 'response': {'communication_strategy': 'Acknowledged researcher’s report, '
                                        'documented as CVE, cited process '
                                        'improvements',
              'containment_measures': 'Vulnerability patched',
              'remediation_measures': 'Fix implemented (estimated minutes to '
                                      'resolve)'},
 'title': 'CISA’s Secure Software Tool Found Vulnerable to XSS Attack',
 'type': 'Vulnerability',
 'vulnerability_exploited': 'XSS in *Software Acquisition Guide: Supplier '
                            'Response Web Tool*'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.