Miggo Logo

CVE-2017-17837: Cross-site Scripting in Apache DeltaSpike

6.1

CVSS Score
3.1

Basic Information

EPSS Score
0.79146%
Published
5/13/2022
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.deltaspike.modules:jsf-module-projectmaven< 1.8.11.8.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper output encoding when handling the windowId parameter in JSF component rendering. The commit diff shows the fix replaced direct string concatenation ('dswh.init("' + windowId + '"') with proper escaping via writer.writeText(). This matches the CWE-79 XSS pattern of embedding untrusted data without neutralization in web output. The JIRA ticket DELTASPIKE-1307 explicitly references this code location and the XSS risk.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** *p**** **lt*Spik*-JS* *.*.* mo*ul* **s * XSS inj**tion l**k in t** win*owI* **n*lin*. T** ****ult siz* o* t** win*owI* **t's *ut o** **t*r ** ***r**t*rs (*y ****ult), so t** imp**t mi**t ** limit**. * *ix *ot *ppli** *n* r*l**s** in *p**** **lt*s

Reasoning

T** vuln*r**ility st*ms *rom improp*r output *n*o*in* w**n **n*lin* t** win*owI* p*r*m*t*r in JS* *ompon*nt r*n**rin*. T** *ommit *i** s*ows t** *ix r*pl**** *ir**t strin* *on**t*n*tion ('*sw*.init("' + win*owI* + '"') wit* prop*r *s**pin* vi* `writ*