Miggo Logo
Miggo Vulnerability Database
CVE-2017-17837

CVE-2017-17837: Cross-site Scripting in Apache DeltaSpike

6.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2017-17837
GHSA ID
GHSA-4q23-g7mf-xp98
EPSS Score
0.79146%
CWE
CWE-79
Published
5/13/2022
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.deltaspike.modules:jsf-module-projectmaven< 1.8.11.8.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper output encoding when handling the windowId parameter in JSF component rendering. The commit diff shows the fix replaced direct string concatenation ('dswh.init("' + windowId + '"') with proper escaping via writer.writeText(). This matches the CWE-79 XSS pattern of embedding untrusted data without neutralization in web output. The JIRA ticket DELTASPIKE-1307 explicitly references this code location and the XSS risk.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** *p**** **lt*Spik*-JS* *.*.* mo*ul* **s * XSS inj**tion l**k in t** win*owI* **n*lin*. T** ****ult siz* o* t** win*owI* **t's *ut o** **t*r ** ***r**t*rs (*y ****ult), so t** imp**t mi**t ** limit**. * *ix *ot *ppli** *n* r*l**s** in *p**** **lt*s

Reasoning

T** vuln*r**ility st*ms *rom improp*r output *n*o*in* w**n **n*lin* t** win*owI* p*r*m*t*r in JS* *ompon*nt r*n**rin*. T** *ommit *i** s*ows t** *ix r*pl**** *ir**t strin* *on**t*n*tion ('*sw*.init("' + win*owI* + '"') wit* prop*r *s**pin* vi* `writ*