CVE-2004-0314
Description
Cross-site scripting vulnerability in WebzEdit 1.9 and earlier allows remote attackers to inject arbitrary script via the message parameter in done.jsp.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cross-site scripting vulnerability in WebzEdit 1.9 and earlier allows remote attackers to inject arbitrary script via the message parameter in done.jsp.
Vulnerability
WebzEdit 1.9 and earlier contains a cross-site scripting (XSS) vulnerability in the done.jsp page. The message parameter is not sanitized before being displayed, allowing injection of arbitrary HTML and JavaScript [1]. The vulnerability is present in all versions up to and including 1.9.
Exploitation
An attacker can exploit this by crafting a URL with a malicious payload in the message parameter. For example, http://host/WebzEdit/done.jsp?message=');alert(document.cookie);a=escape(' will execute JavaScript in the context of the victim's browser [1]. No authentication is required; the attacker only needs to trick a user into visiting the crafted link.
Impact
Successful exploitation allows an attacker to execute arbitrary script in the victim's browser, potentially leading to session hijacking, cookie theft, or defacement. The impact is limited to the user's session and the web application's domain.
Mitigation
No official patch or fixed version has been identified from the vendor (FreeWebs). Users should consider upgrading to a newer version if available, or implement input validation and output encoding for the message parameter. The vulnerability is considered low severity and is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The `done.jsp` page does not filter or escape the `message` parameter before reflecting it to the user, allowing injection of arbitrary JavaScript."
Attack vector
An attacker crafts a URL to the `done.jsp` page and injects a malicious JavaScript payload into the `message` parameter [ref_id=1]. The proof-of-concept URL uses the format `http://host/WebzEdit/done.jsp?message=');[XSS code];a=escape('` to break out of any existing JavaScript context and execute arbitrary script [ref_id=1]. When a victim visits this crafted URL, the injected script executes in the victim's browser within the security context of the target site, allowing the attacker to steal cookies or perform other actions as the victim [ref_id=1].
Affected code
The vulnerability resides in `done.jsp` of WebzEdit 1.9 and earlier [ref_id=1]. The page accepts a `message` parameter via the query string and reflects it back to the user without any sanitization or encoding [ref_id=1].
What the fix does
The advisory does not include a patch or specific remediation code [ref_id=1]. The recommended fix is to properly filter or escape the `message` parameter in `done.jsp` before rendering it, preventing the injection of arbitrary HTML or JavaScript [ref_id=1]. Without such sanitization, any user-supplied input in the `message` parameter is reflected unsafely, enabling cross-site scripting attacks [ref_id=1].
Preconditions
- networkThe target must be running WebzEdit 1.9 or earlier with done.jsp accessible
- inputThe attacker must lure a victim into visiting a crafted URL containing the XSS payload in the message parameter
Reproduction
Visit the following URL in a browser: `http://host/WebzEdit/done.jsp?message=');alert(document.cookie);a=escape('`. If the application is vulnerable, a JavaScript alert box displaying the current page's cookies will appear [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.