CVE-2017-5963

An issue was discovered in caddy (for TYPO3) before 7.2.10. The vulnerability exists due to insufficient filtration of user-supplied data in the "paymillToken" HTTP POST parameter passed to the "caddy/Resources/Public/JavaScript/e-payment/paymill/api/php/payment.php" URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website.

Published: Feb 12, 2017
Updated: Apr 13, 2023
CVE: CVE-2017-5963
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.1
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v2:

Severity: Low
Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
caddy_project / caddy	2.1.4-alpha	2.1.4-alpha.x
caddy_project / caddy	2.1.5-alpha	2.1.5-alpha.x
caddy_project / caddy	2.1.6-alpha	2.1.6-alpha.x
caddy_project / caddy	3.0.0-alpha	3.0.0-alpha.x
caddy_project / caddy	4.0.0-alpha	4.0.0-alpha.x
caddy_project / caddy	4.0.1-alpha	4.0.1-alpha.x
caddy_project / caddy	4.0.2-alpha	4.0.2-alpha.x
caddy_project / caddy	4.0.3-alpha	4.0.3-alpha.x
caddy_project / caddy	4.0.12-alpha	4.0.12-alpha.x
caddy_project / caddy	6.0.1-alpha	6.0.1-alpha.x
caddy_project / caddy	6.0.2-alpha	6.0.2-alpha.x
caddy_project / caddy	6.0.9-alpha	6.0.9-alpha.x
caddy_project / caddy	6.0.12-beta	6.0.12-beta.x
caddy_project / caddy	6.0.14-beta	6.0.14-beta.x
caddy_project / caddy	6.1.0-beta	6.1.0-beta.x
caddy_project / caddy	6.2.1-beta	6.2.1-beta.x
caddy_project / caddy	6.3.0-beta	6.3.0-beta.x
caddy_project / caddy	6.3.1-beta	6.3.1-beta.x
caddy_project / caddy	6.3.3-beta	6.3.3-beta.x
caddy_project / caddy	7.0.0-beta	7.0.0-beta.x
caddy_project / caddy	7.1.0-beta	7.1.0-beta.x
caddy_project / caddy	7.2.7-beta	7.2.7-beta.x

Vulnerability Database

289,598

CVE-2017-5963