A zero-day cross-site scripting vulnerability has been discovered in BuySpeed, an automated procure-to-pay tool from Periscope Holdings, a provider of procurement software solutions for public-sector entities and their suppliers.

The flaw, found in BuySpeed version 14.5, "could allow a local, authenticated attacker to store arbitrary JavaScript within the application," warns a vulnerability advisory from the CERT Coordination Center at Carnegie Mellon University's Software Engineering Institute. "This JavaScript is subsequently displayed by the application without sanitization, leading to it executing in the browser of the user. This could potentially allow for website redirection, session hijacking, or information disclosure."

The CERT/CC said that it is unaware of a practical solution to the vulnerability.

Austin, Texas-based Periscope Holdings facilitates public-sector commodities and services procurement through a collection of solutions for buyers and sellers. According to the company's website, BuySpeed holds the exclusive license to maintain, enhance and market the National Institute of Governmental Purchasings' Commodity/Services Code, and manages the NIGP Consulting Program. The NIGP Code is a universal taxonomy used to classify commodities and services that are procured by North American state and local governments.

"Based on available information, the vulnerability in Periscope BuySpeed can only be exploited by an authenticated user. This significantly reduces the threat and overall risk posed by the vulnerability," said Art Manion, vulnerability analysis technical manager at the CERT/CC. "That said, stored cross-site scripting is a fairly well understood type of vulnerability, and we encourage Periscope to appropriately prioritize fixing this and any similar issues in BuySpeed."

SC Media reached out to Periscope Holdings for comment and received the following statement: "We were aware of CERT Vulnerability Note VU#660597. We have already developed remediation and have made this available to customers. We are alerting CERT of the remediation so they can correct their advisory."