CVE-2025-67634 (GCVE-0-2025-67634)
Vulnerability from cvelistv5 – Published: 2025-12-12 20:36 – Updated: 2026-01-08 18:13 Exclusively Hosted Service
VLAI?
Title
Software Acquisition Guide Supplier Response Web Tool XSS
Summary
The CISA Software Acquisition Guide Supplier Response Web Tool before 2025-12-11 was vulnerable to cross-site scripting via text fields. If an attacker could convince a user to import a specially-crafted JSON file, the Tool would load JavaScript from the file into the page. The JavaScript would execute in the context of the user's browser when the user submits the page (clicks 'Next').
Severity ?
4.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CISA | Software Acquisition Guide Tool |
Affected:
0 , < 2025-12-11
(custom)
Unaffected: 2025-12-11 |
Credits
Jeff Williams, Contrast Security
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-67634",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-08T18:12:59.164895Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-08T18:13:27.307Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Software Acquisition Guide Tool",
"vendor": "CISA",
"versions": [
{
"lessThan": "2025-12-11",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "2025-12-11"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Jeff Williams, Contrast Security"
}
],
"datePublic": "2025-12-11T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The CISA Software Acquisition Guide Supplier Response Web Tool before 2025-12-11 was vulnerable to cross-site scripting via text fields. If an attacker could convince a user to import a specially-crafted JSON file, the Tool would load JavaScript from the file into the page. The JavaScript would execute in the context of the user\u0027s browser when the user submits the page (clicks \u0027Next\u0027)."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-67634",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-08T20:50:13.854807Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-12T20:36:25.597Z",
"orgId": "9119a7d8-5eab-497f-8521-727c672e3725",
"shortName": "cisa-cg"
},
"references": [
{
"name": "url",
"tags": [
"product"
],
"url": "https://www.cisa.gov/software-acquisition-guide/tool"
},
{
"name": "url",
"tags": [
"government-resource",
"third-party-advisory"
],
"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-345-01.json"
},
{
"name": "url",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-67634"
}
],
"tags": [
"exclusively-hosted-service"
],
"title": "Software Acquisition Guide Supplier Response Web Tool XSS"
}
},
"cveMetadata": {
"assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725",
"assignerShortName": "cisa-cg",
"cveId": "CVE-2025-67634",
"datePublished": "2025-12-12T20:36:25.597Z",
"dateReserved": "2025-12-09T17:06:11.269Z",
"dateUpdated": "2026-01-08T18:13:27.307Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-67634\",\"sourceIdentifier\":\"9119a7d8-5eab-497f-8521-727c672e3725\",\"published\":\"2025-12-12T21:15:59.480\",\"lastModified\":\"2026-01-02T18:52:18.527\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[{\"sourceIdentifier\":\"9119a7d8-5eab-497f-8521-727c672e3725\",\"tags\":[\"exclusively-hosted-service\"]}],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The CISA Software Acquisition Guide Supplier Response Web Tool before 2025-12-11 was vulnerable to cross-site scripting via text fields. If an attacker could convince a user to import a specially-crafted JSON file, the Tool would load JavaScript from the file into the page. The JavaScript would execute in the context of the user\u0027s browser when the user submits the page (clicks \u0027Next\u0027).\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"9119a7d8-5eab-497f-8521-727c672e3725\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":4.6,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"ACTIVE\",\"vulnConfidentialityImpact\":\"LOW\",\"vulnIntegrityImpact\":\"LOW\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"9119a7d8-5eab-497f-8521-727c672e3725\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N\",\"baseScore\":4.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.8,\"impactScore\":2.5},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"9119a7d8-5eab-497f-8521-727c672e3725\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:cisa:software_acquisition_guide:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2025-12-11\",\"matchCriteriaId\":\"0FF25D14-2035-40E0-8203-F63469E4CC82\"}]}]}],\"references\":[{\"url\":\"https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-345-01.json\",\"source\":\"9119a7d8-5eab-497f-8521-727c672e3725\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.cisa.gov/software-acquisition-guide/tool\",\"source\":\"9119a7d8-5eab-497f-8521-727c672e3725\",\"tags\":[\"Product\"]},{\"url\":\"https://www.cve.org/CVERecord?id=CVE-2025-67634\",\"source\":\"9119a7d8-5eab-497f-8521-727c672e3725\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-67634\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-01-08T18:12:59.164895Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-01-08T18:13:15.096Z\"}}], \"cna\": {\"tags\": [\"exclusively-hosted-service\"], \"title\": \"Software Acquisition Guide Supplier Response Web Tool XSS\", \"credits\": [{\"lang\": \"en\", \"value\": \"Jeff Williams, Contrast Security\"}], \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 4.6, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N\", \"userInteraction\": \"ACTIVE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"LOW\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"LOW\"}}, {\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 4.4, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-67634\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-12-08T20:50:13.854807Z\"}}}], \"affected\": [{\"vendor\": \"CISA\", \"product\": \"Software Acquisition Guide Tool\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"2025-12-11\", \"versionType\": \"custom\"}, {\"status\": \"unaffected\", \"version\": \"2025-12-11\"}], \"defaultStatus\": \"unknown\"}], \"datePublic\": \"2025-12-11T00:00:00.000Z\", \"references\": [{\"url\": \"https://www.cisa.gov/software-acquisition-guide/tool\", \"name\": \"url\", \"tags\": [\"product\"]}, {\"url\": \"https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-345-01.json\", \"name\": \"url\", \"tags\": [\"government-resource\", \"third-party-advisory\"]}, {\"url\": \"https://www.cve.org/CVERecord?id=CVE-2025-67634\", \"name\": \"url\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"The CISA Software Acquisition Guide Supplier Response Web Tool before 2025-12-11 was vulnerable to cross-site scripting via text fields. If an attacker could convince a user to import a specially-crafted JSON file, the Tool would load JavaScript from the file into the page. The JavaScript would execute in the context of the user\u0027s browser when the user submits the page (clicks \u0027Next\u0027).\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"9119a7d8-5eab-497f-8521-727c672e3725\", \"shortName\": \"cisa-cg\", \"dateUpdated\": \"2025-12-12T20:36:25.597Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-67634\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-01-08T18:13:27.307Z\", \"dateReserved\": \"2025-12-09T17:06:11.269Z\", \"assignerOrgId\": \"9119a7d8-5eab-497f-8521-727c672e3725\", \"datePublished\": \"2025-12-12T20:36:25.597Z\", \"assignerShortName\": \"cisa-cg\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…