Miggo Logo
Miggo Vulnerability Database
CVE-2017-15682

CVE-2017-15682: Cross site scripting in Crafter CMS

N/A

CVSS Score

Basic Information

CVE ID
CVE-2017-15682
GHSA ID
GHSA-38rq-rh9w-cmw6
EPSS Score
0.7982%
CWE
CWE-79
Published
5/24/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
-
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.craftercms:crafter-coremaven>= 3.0.0, < 3.0.13.0.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The security patch adds @ResponseBody annotations to force structured format responses (JSON/XML) instead of HTML. This indicates the vulnerability existed in these exception handlers when they returned HTML responses containing unescaped user-controlled data from exceptions. Attackers could trigger these exceptions with malicious input that would execute in the admin panel. The pre-patch versions of these methods would appear in runtime profiles when handling malicious requests that trigger exceptions containing XSS payloads.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In *r**t*r *MS *r**t*r Stu*io *.*.* *n un*ut**nti**t** *tt**k*r is **l* to inj**t m*li*ious J*v*S*ript *o** r*sultin* in * stor**/*lin* XSS in t** **min p*n*l.

Reasoning

T** s**urity p*t** ***s @R*spons**o*y *nnot*tions to *or** stru*tur** *orm*t r*spons*s (JSON/XML) inst*** o* *TML. T*is in*i**t*s t** vuln*r**ility *xist** in t**s* *x**ption **n*l*rs w**n t**y r*turn** *TML r*spons*s *ont*inin* un*s**p** us*r-*ontro
CVE-2017-15682: Crafter CMS Unauth Admin XSS | Miggo