Stig Manager
Monthly
Reflected Cross-Site Scripting in STIG Manager 1.5.10 through 1.6.7 enables arbitrary JavaScript execution during OIDC authentication error handling. Attackers crafting malicious redirect URLs can exploit unsanitized error parameters written directly to DOM via innerHTML. When victims with active sessions follow these links, injected code executes in application context with access to SharedWorker-managed authentication tokens, enabling authenticated API requests to read and modify STIG assessment collection data. CVSS 8.5 reflects high confidentiality and integrity impact despite requiring user interaction. No public exploit identified at time of analysis; vendor-released patch available in version 1.6.8.
Reflected Cross-Site Scripting in STIG Manager 1.5.10 through 1.6.7 enables arbitrary JavaScript execution during OIDC authentication error handling. Attackers crafting malicious redirect URLs can exploit unsanitized error parameters written directly to DOM via innerHTML. When victims with active sessions follow these links, injected code executes in application context with access to SharedWorker-managed authentication tokens, enabling authenticated API requests to read and modify STIG assessment collection data. CVSS 8.5 reflects high confidentiality and integrity impact despite requiring user interaction. No public exploit identified at time of analysis; vendor-released patch available in version 1.6.8.