// For flags

CVE-2017-7296

 

Severity Score

6.1
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

An issue was discovered in Contiki Operating System 3.0. A Persistent XSS vulnerability is present in the MQTT/IBM Cloud Config page (aka mqtt.html) of cc26xx-web-demo. The cc26xx-web-demo features a webserver that runs on a constrained device. That particular page allows a user to remotely configure that device's operation by sending HTTP POST requests. The vulnerability consists of improper input sanitisation of the text fields on the MQTT/IBM Cloud config page, allowing for JavaScript code injection.

Fue descubierto un problema en el Contiki Operating System versión 3.0. Una vulnerabilidad de tipo XSS persistente está presente en la página de Configuración MQTT/IBM Cloud (también se conoce como mqtt.html) de cc26xx-web-demo. El cc26xx-web-demo cuenta con un servidor web que se ejecuta en un dispositivo restringido. Esa página en particular permite a un usuario configurar remotamente el funcionamiento de ese dispositivo mediante el envío de peticiones HTTP POST. La vulnerabilidad consiste en un saneamiento de entrada inapropiada de los campos de texto en la página de configuración de MQTT/IBM Cloud, lo que permite la inyección de código JavaScript.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
None
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2017-03-28 CVE Reserved
  • 2017-05-28 CVE Published
  • 2023-04-06 EPSS Updated
  • 2024-08-05 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
References (2)
URL Tag Source
http://www.securityfocus.com/bid/98790 Third Party Advisory
https://gist.github.com/jackmcbride/c9328627f1ee104ce84f3fb7eff42f1e Third Party Advisory
URL Date SRC
URL Date SRC
URL Date SRC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Contiki-os
Search vendor "Contiki-os"
 Contiki
Search vendor "Contiki-os" for product "Contiki"
 3.0
Search vendor "Contiki-os" for product "Contiki" and version "3.0"
-
Affected