Miggo Logo
Miggo Vulnerability Database
CVE-2017-15685

CVE-2017-15685: XML Injection in Crafter CMS Crafter Studio 3.0.1

8.6

CVSS Score
3.1

Basic Information

CVE ID
CVE-2017-15685
GHSA ID
GHSA-5hr6-vc97-qxxh
EPSS Score
0.83938%
CWE
CWE-91
Published
2/9/2022
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.craftercms:crafter-studiomaven<= 3.0.13.0.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

All identified functions directly process XML/XSLT content and were modified in the patches to add security features (disabling DTD/external entities). The pre-patch versions of these functions lacked these protections, making them susceptible to XXE attacks when parsing untrusted input. The SAXReader/TransformerFactory instances in these methods would have allowed external entity resolution prior to the security hardening shown in the patches.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*r**t*r *MS *r**t*r Stu*io *.*.* is *****t** *y: XML *xt*rn*l *ntity (XX*). *n un*ut**nti**t** *tt**k*r is **l* to *r**t* * sit* wit* sp**i*lly *r**t** XML t**t *llows t** r*tri*v*l o* OS *il*s out-o*-**n*.

Reasoning

*ll i**nti*i** *un*tions *ir**tly `pro**ss` XML/XSLT *ont*nt *n* w*r* mo*i*i** in t** p*t***s to *** s**urity ***tur*s (*is**lin* *T*/*xt*rn*l *ntiti*s). T** pr*-p*t** v*rsions o* t**s* *un*tions l**k** t**s* prot**tions, m*kin* t**m sus**pti*l* to X