A zero-day cross-site scripting vulnerability has been discovered in BuySpeed, an automated procure-to-pay tool from Periscope Holdings, a provider of procurement software solutions for public-sector entities and their suppliers.
The CERT/CC said that it is unaware of a practical solution to the vulnerability.
Austin, Texas-based Periscope Holdings facilitates public-sector commodities and services procurement through a collection of solutions for buyers and sellers. According to the company's website, BuySpeed holds the exclusive license to maintain, enhance and market the National Institute of Governmental Purchasings' Commodity/Services Code, and manages the NIGP Consulting Program. The NIGP Code is a universal taxonomy used to classify commodities and services that are procured by North American state and local governments.
"Based on available information, the vulnerability in Periscope BuySpeed can only be exploited by an authenticated user. This significantly reduces the threat and overall risk posed by the vulnerability," said Art Manion, vulnerability analysis technical manager at the CERT/CC. "That said, stored cross-site scripting is a fairly well understood type of vulnerability, and we encourage Periscope to appropriately prioritize fixing this and any similar issues in BuySpeed."
SC Media reached out to Periscope Holdings for comment and received the following statement: "We were aware of CERT Vulnerability Note VU#660597. We have already developed remediation and have made this available to customers. We are alerting CERT of the remediation so they can correct their advisory."