Network Security, Vulnerability Management

Zero-day bug found in procurement solution used by government bodies

A zero-day cross-site scripting vulnerability has been discovered in BuySpeed, an automated procure-to-pay tool from Periscope Holdings, a provider of procurement software solutions for public-sector entities and their suppliers.

The flaw, found in BuySpeed version 14.5, "could allow a local, authenticated attacker to store arbitrary JavaScript within the application," warns a vulnerability advisory from the CERT Coordination Center at Carnegie Mellon University's Software Engineering Institute. "This JavaScript is subsequently displayed by the application without sanitization, leading to it executing in the browser of the user. This could potentially allow for website redirection, session hijacking, or information disclosure."

The CERT/CC said that it is unaware of a practical solution to the vulnerability.

Austin, Texas-based Periscope Holdings facilitates public-sector commodities and services procurement through a collection of solutions for buyers and sellers. According to the company's website, BuySpeed holds the exclusive license to maintain, enhance and market the National Institute of Governmental Purchasings' Commodity/Services Code, and manages the NIGP Consulting Program. The NIGP Code is a universal taxonomy used to classify commodities and services that are procured by North American state and local governments.

"Based on available information, the vulnerability in Periscope BuySpeed can only be exploited by an authenticated user. This significantly reduces the threat and overall risk posed by the vulnerability," said Art Manion, vulnerability analysis technical manager at the CERT/CC. "That said, stored cross-site scripting is a fairly well understood type of vulnerability, and we encourage Periscope to appropriately prioritize fixing this and any similar issues in BuySpeed."

SC Media reached out to Periscope Holdings for comment and received the following statement: "We were aware of CERT Vulnerability Note VU#660597. We have already developed remediation and have made this available to customers. We are alerting CERT of the remediation so they can correct their advisory."

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.