This is a security alert bulletin.

Affects: OpenFISMA 2.6.0 - 2.6.3

Fixed in: OpenFISMA 2.6.4

CVSS: (AV:N/AC:L/Au:N/C:C/I:C/A:N) 9.4

Description:

An XSS Vulnerability exists in the Incident module of OpenFISMA 2.6 (affecting 2.6.0 through 2.6.3). The vulnerability would allow an unauthenticated attacker to insert malicious active content (such as JavaScript) into another user's session. 

Depending on server and network configuration, a user might be able to exploit this remotely over port 80 or 443.

Recommendations:

1. We strongly urge OpenFISMA users to update to version 2.6.4 or later

2. Disable the Incident module until the patch can be applied

3. As a best practice, run OpenFISMA on a private network that is firewalled from general internet traffic.