STIG Manager, a web client for managing Security Technical Implementation Guides, contains a reflected Cross‑Site Scripting flaw that allows malicious script to be injected through the OIDC authentication error handling code in src/init.js and public/reauth.html. The vulnerability occurs when an OIDC provider returns the error and error_description parameters, which are written directly to the DOM via innerHTML without escaping. An attacker can craft a malicious redirect URL and entice a user to visit it, causing arbitrary JavaScript to run in the same origin as the application. With a target user holding an active STIG Manager session in another tab, the injected code can communicate with the SharedWorker managing the access token, enabling the attacker to perform authenticated API requests on behalf of the victim, including reading and modifying collection data.

Versions of STIG Manager from 1.5.10 through 1.6.7 are affected. The affected vendor is NUWCDIVNPT and the product name is Stan Manager. The vulnerability is fixed in STIG Manager 1.6.8 and later; there is no known broader version impact beyond the stated range.

The CVSS score of 8.5 indicates high severity. The EPSS score of less than 1% suggests exploitation is unlikely at present, but the vulnerability is not listed in the CISA KEV catalog. The attack requires a user to follow a crafted OIDC redirect URL containing a malicious error parameter; thus, it is a credential‑less or social‑engineering attack scenario that hinges on user interaction. If successful, the attacker gains Remote Code Execution capabilities within the application’s origin, allowing credential theft and data manipulation, with a potentially significant impact on confidentiality and integrity of STIG data.