BugCrowd Bug Bounty Disclosure: P5 - Reflected XSS Vulnerability in SEWP Provider Lookup Tool - www.sewp.nasa.gov - Uma_Maheshwar_Ayyala

Reflected XSS Vulnerability in SEWP Provider Lookup Tool – www.sewp.nasa.gov

Engagement: National Aeronautics and Space Administration (NASA) – Vulnerability Disclosure Program

Disclosed at: 2025-05-12T18:49:42Z

Priority: P5

Status: Informational

Summary

DOM-Based Reflected Cross-Site Scripting (XSS) Vulnerability on NASA Subdomain

During routine reconnaissance and testing, I identified a DOM-based reflected XSS vulnerability on NASA’s SEWP Provider Lookup Tool. The application improperly reflected user input into the DOM without adequate sanitization or output encoding. This allowed execution of arbitrary JavaScript in the browser context of the NASA domain.

Successful exploitation could enable session hijacking, data exfiltration, or UI redress attacks. Although classified as an informational issue, this finding illustrates how even lower-risk vulnerabilities can pose reputational or user trust risks when discovered on publicly accessible government web applications.

Activity Feed

Actor	Details	Timestamp (UTC)
Martin	Martin published	2025-05-12T18:49:42Z
Uma_Maheshwar_Ayyala	Uma_Maheshwar_Ayyala requested	2025-05-10T10:10:24Z
teapot_bugcrowd	teapot_bugcrowd changed the state to to informational	2025-04-14T18:01:09Z
teapot_bugcrowd	teapot_bugcrowd sent a: message	2025-04-14T18:01:04Z
Uma_Maheshwar_Ayyala	Uma_Maheshwar_Ayyala created the submission	2025-04-14T17:17:35Z

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee

Patreon

To keep up to date follow us on the below channels.

Tags: bug bounty, BugCrowd, OSINT

BugCrowd Bug Bounty Disclosure: P5 – Reflected XSS Vulnerability in SEWP Provider Lookup Tool – www.sewp.nasa.gov – Uma_Maheshwar_Ayyala

Reflected XSS Vulnerability in SEWP Provider Lookup Tool – www.sewp.nasa.gov

Summary

Activity Feed

Cobalt Strike Beacon Detected – 118[.]107[.]221[.]14:443

Cobalt Strike Beacon Detected – 45[.]125[.]33[.]150:80

Cobalt Strike Beacon Detected – 101[.]43[.]2[.]116:80

Cobalt Strike Beacon Detected – 8[.]140[.]239[.]162:80

Cobalt Strike Beacon Detected – 120[.]27[.]235[.]78:80

Summary

Activity Feed

You may have missed

Cobalt Strike Beacon Detected – 118[.]107[.]221[.]14:443

Cobalt Strike Beacon Detected – 45[.]125[.]33[.]150:80

Cobalt Strike Beacon Detected – 101[.]43[.]2[.]116:80

Cobalt Strike Beacon Detected – 8[.]140[.]239[.]162:80

Cobalt Strike Beacon Detected – 120[.]27[.]235[.]78:80