US National Vulnerability Database contained … yup, an XSS vuln

Posted on

The US National Vulnerability Database was itself left vulnerable to cross-site scripting last week.

The NVD serves as a definitive source of information on CVE security flaws. The XSS vulnerability meant that a skilled hacker could present surfers with content from arbitrary third-party sites as if it came from the NVD itself.

Security consultant Paul Moore, who brought the issue to our attention, told El Reg that the issue presented “minimal risk depending on how payload reaches the site, but could damage reputation/financial wellbeing of firms with fake CVEs”.

Moore put together a proof-of-concept YouTube video, demonstrating the flaw. XSS and SQL Injection regularly top the charts as the most common classes of web development security slip-ups.

US National Vulnerability Database contained ... yup, an XSS vuln
US National Vulnerability Database contained … yup, an XSS vuln

In response to a request for comment from El Reg, a representative from NIST (National Institute of Standards and Technology – the organisation that runs the NVD site) said that the problem has been fixed:

The National Vulnerability Database (NVD) had an issue where it did not properly sanitise input received from NVD and partner systems. The issue has since been resolved and the Common Vulnerabilities and Exposures (CVEs) now display correctly.

Source:http://www.theregister.co.uk/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s