On July 23rd, MS-ISAC flagged a file sitting in a Granicus managed Amazon AWS storage service called S3 as being potentially affected by the Magecart Campaign vulnerability. In the alert, govAccess was cited as being the affected product. Alerts were sent to MS-ISAC Members via email of the following title " Message from the MS-ISAC: Supply Chain Compromise - Granicus govAccess CMS Serving MageCart Information Skimming Code - TLP: AMBER"Response/Resolution
In regards to the greater Magecart vulnerability, Granicus identified and resolved this original vulnerability in one of its Amazon S3 assets back in April 2019. During that time it was confirmed that no production or application systems were affected. Additionally the Amazon S3 asset associated with this alert was related to Granicus Boards and Commissions, not govAccess, as reported.
A full technical description / analysis is also being drafted and will be made available upon request. If you have any questions, please contact Granicus Customer Support via our portal http://support.granicus.com
Granicus Security and Support