The NUWCDIVNPT STIG Manager product, versions 1.5.10 through 1.6.7, is affected by a reflected Cross-Site Scripting (CWE-79) vulnerability in its OIDC authentication error handling implementation. Specifically, the 'error' and 'error_description' parameters returned by the OIDC provider during redirect flows are written directly to the DOM via innerHTML without HTML escaping in 'src/init.js' and 'public/reauth.html'. An attacker who crafts a malicious redirect URL and convinces a user to visit it can execute arbitrary JavaScript in the application's origin context. This can lead to unauthorized actions including reading and modifying collection data by leveraging an active session's SharedWorker. The vulnerability has a CVSS 4.0 base score of 8.5 (high severity). The issue is patched in version 1.6.8. No official workaround exists; partial mitigation may be achieved by web application firewalls filtering reflected XSS payloads in query parameters, but patching is required for full remediation.

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the STIG Manager web application. When the victim has an active session, the injected script can communicate with the SharedWorker managing the access token, enabling authenticated API requests on behalf of the victim. This can lead to unauthorized reading and modification of sensitive collection data within the application. The vulnerability does not require user privileges or authentication but does require user interaction to follow a crafted URL. The CVSS score of 8.5 reflects the high impact on confidentiality and integrity.

The vulnerability is fixed in STIG Manager version 1.6.8. Upgrading to this version or later is the only complete remediation. There are no official workarounds. Deployments may achieve partial mitigation by using web application firewalls that filter reflected XSS payloads in query parameters; however, this is not a substitute for applying the official patch.