US National Vulnerability Database vulnerable to XSS attack

The National Vulnerability Database (NVD), the US government repository of CVE security-related software flaws, is vulnerable to a cross-site-scripting (XSS) attack.

Information security consultant Paul Moore posted a proof-of-concept (POC) video on YouTube on Tuesday, and told SCMagazineUK.com later that day: “As with any XSS exploit, an attacker can leverage the user's trust in that domain.”

He added:  “If the DOM (Document Object Mode) is replaced with a phishing page to collect personal identifiable information (PII) and card information, it's less likely to raise suspicion.  The TLS certificate isn't designed to mitigate this risk either, so unless an attacker loads dependencies from an insecure source, it won't alert the user to any unusual activity.”

He added: “I very much doubt this is being exploited; we're yet to confirm exactly how the payload reaches the site. It could have been a member of staff innocently entering the description, which dramatically reduces the risk. If submissions are reviewed manually, it's unlikely that any malicious payload would actually reach the site without being noticed, sanitised and removed manually.”

He said in the unlikely event it was being exploited, an attacker could modify any aspect of page, redirect users to another site and create or edit pages to artificially introduce fake CVE vulnerabilities, “which potentially impacts upon the trust and financial well-being of any firm feature, not to mention the possibility of introducing phishing/malware to a supposedly-secure site.”

“This really is the lowest of the low hanging fruit, which actually raises more questions than it answers.  It doesn't appear they've made any attempt to correctly encode the values contained within the description field."

Moore – who did face some criticism on Twitter for not reporting the incident to the NVD - did say, however, that the use of Content Security Policys (CSPs) by most modern browsers would prevent exploits and proactively report existence of the bug via a reporting endpoint.

A spokesman for The National Vulnerability Database told SC that it was “aware of the problem and working to correct it.”

Sign up to our newsletters