6.1
CVE-2025-67634
- EPSS 0.04%
- Veröffentlicht 12.12.2025 20:36:25
- Zuletzt bearbeitet 02.01.2026 18:52:18
- Quelle 9119a7d8-5eab-497f-8521-727c67
- CVE-Watchlists
- Unerledigt
LoginThe CISA Software Acquisition Guide Supplier Response Web Tool before 2025-12-11 was vulnerable to cross-site scripting via text fields. If an attacker could convince a user to import a specially-crafted JSON file, the Tool would load JavaScript from the file into the page. The JavaScript would execute in the context of the user's browser when the user submits the page (clicks 'Next').
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Cisa ≫ Software Acquisition Guide Version < 2025-12-11
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.04% | 0.1 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 6.1 | 2.8 | 2.7 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
| 9119a7d8-5eab-497f-8521-727c672e3725 | 4.6 | 0 | 0 |
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
|
| 9119a7d8-5eab-497f-8521-727c672e3725 | 4.4 | 1.8 | 2.5 |
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
|
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.