The NUWCDIVNPT STIG Manager product, versions 1.5.10 through 1.6.7, is affected by a reflected Cross-Site Scripting (CWE-79) vulnerability in its OIDC authentication error handling implementation. Specifically, the 'error' and 'error_description' parameters returned during the OIDC redirect flow are directly written to the DOM using innerHTML without HTML escaping in 'src/init.js' and 'public/reauth.html'. An attacker who crafts a malicious redirect URL and convinces a user to follow it can execute arbitrary JavaScript within the application's origin. This can lead to unauthorized authenticated API requests by leveraging the SharedWorker that manages the active access token if the victim has an active session in another browser tab. The vulnerability has a CVSS 4.0 score of 8.5 (high severity). The issue is resolved in version 1.6.8. Partial mitigation may be achieved by web application firewalls filtering reflected XSS payloads, but upgrading is required for full remediation.

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the STIG Manager web application. This can lead to unauthorized authenticated API requests, including reading and modifying sensitive collection data, by interacting with the SharedWorker managing the user's active access token. The impact is high due to the ability to perform actions with the victim's privileges without requiring user privileges or prior authentication.

The vulnerability is patched in STIG Manager version 1.6.8. Users should upgrade to this version to fully remediate the issue. There is no known workaround other than upgrading. Deployments using web application firewalls that filter reflected XSS payloads in query parameters may experience partial mitigation, but this does not replace the need to apply the official fix.