STIG Manager Reflected Cross-Site Scripting Vulnerability

A reflected Cross-Site Scripting (XSS) vulnerability has been identified in STIG Manager versions 1.5.10 prior to 1.6.8. The issue arises in the OIDC authentication error handling, where the 'error' and 'error_description' query parameters from the OIDC provider are directly inserted into the DOM using 'innerHTML' without proper HTML escaping. This vulnerability allows an attacker to execute arbitrary JavaScript in the application's origin context, particularly affecting users with an active STIG Manager session in another browser tab. The injected script can interact with the SharedWorker that manages the access token, enabling unauthorized API requests that could read or modify collection data.

Impact

Exploitation of this vulnerability allows for reflected Cross-Site Scripting, where an attacker can execute JavaScript in the context of the user's session, potentially leading to unauthorized access or modification of data through authenticated API requests.

Remediation

Users are advised to upgrade STIG Manager to version 1.6.8 or later. There is no workaround available except for upgrading. For those behind a web application firewall that filters reflected XSS payloads in query parameters, this may provide partial mitigation, but it is not a substitute for patching.