CVE-2026-41200— STIG Manager has reflected XSS vulnerability in the Web App

STIG Manager has reflected XSS vulnerability in the Web App

STIG Manager is an API and web client for managing Security Technical Implementation Guides (STIG) assessments of Information Systems. Versions 1.5.10 through 1.6.7 have a reflected Cross-Site Scripting (XSS) vulnerability in the OIDC authentication error handling code in `src/init.js` and `public/reauth.html`. During the OIDC redirect flow, the `error` and `error_description` query parameters returned by the OIDC provider are written directly to the DOM via `innerHTML` without HTML escaping. An attacker who can craft a malicious redirect URL and convince a user to follow it can execute arbitrary JavaScript in the application's origin context. The vulnerability is most severe when the targeted user has an active STIG Manager session running in another browser tab — injected code executes in the same origin and can communicate with the SharedWorker managing the active access token, enabling authenticated API requests on behalf of the victim including reading and modifying collection data. The vulnerability is patched in version 1.6.8. There is no workaround short of upgrading. Deployments behind a web application firewall that filters reflected XSS payloads in query parameters may have partial mitigation, but this is not a substitute for patching.

N/A

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

STIG Manager 跨站脚本漏洞

STIG Manager是NUWCDIVNPT开源的一个信息安全合规评估管理工具。 STIG Manager 1.5.10版本至1.6.7版本存在跨站脚本漏洞，该漏洞源于OIDC认证错误处理代码中innerHTML写入未转义，可能导致反射型跨站脚本攻击。

N/A

N/A