CVE-2017-1000510
Description
Croogo 2.3.1-17-g6f82e6c has a stored XSS vulnerability in the Page name field, allowing admin-level users to execute arbitrary JavaScript.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Croogo 2.3.1-17-g6f82e6c has a stored XSS vulnerability in the Page name field, allowing admin-level users to execute arbitrary JavaScript.
Vulnerability
Croogo version 2.3.1-17-g6f82e6c contains a stored Cross-Site Scripting (XSS) vulnerability in the Page name field. The application fails to properly sanitize user input when creating or editing pages, allowing arbitrary HTML and JavaScript to be injected. This affects the admin panel's page list view where the page name is rendered without encoding. [1][2]
Exploitation
An attacker must have administrative access (or a role with page creation privileges) to the Croogo backend. The steps are: log in, navigate to create a new page, set the page name to a malicious payload such as ``, and save the page. When the attacker (or another admin) visits the page list section, the payload executes in the context of the admin panel. [2]
Impact
Successful exploitation allows arbitrary JavaScript execution in the admin panel. However, the impact is limited because Croogo uses HTTPOnly cookies for session tokens, preventing session hijacking via XSS. The attacker can perform actions within the admin interface as the victim user, such as modifying content or creating new admin accounts, depending on the victim's privileges. [2]
Mitigation
No specific fix version is mentioned in the available references. The issue was reported on GitHub, and users are advised to apply input sanitization or upgrade to a patched version if available. As of the publication date (2018-02-09), no official patch release is documented. [1][2]
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
croogo/croogoPackagist | < 4.0.0 | 4.0.0 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Improper neutralization of user-controllable input in the Page name field before rendering it in the admin page list allows stored cross-site scripting."
Attack vector
An attacker who can log into the Croogo admin panel (or a role with page-creation privileges) creates a new page and sets the page name to a JavaScript payload such as `
Affected code
The vulnerability exists in the Page name field within Croogo's admin panel. When creating or editing a page, the application does not sanitize the user-supplied page name before storing it and later rendering it in the page list view.
What the fix does
The advisory [ref_id=1] does not include a patch diff, but the expected remediation is to HTML-encode the page name before rendering it in the admin page list. The reporter notes that the application already uses HTTPOnly session cookies, which limits the impact of XSS, but proper output encoding would prevent arbitrary JavaScript execution regardless.
Preconditions
- authAttacker must have a valid account with permission to create or edit pages (e.g., administrator or contributor role).
- networkAttacker must have network access to the Croogo admin panel.
- inputThe page name input field must accept arbitrary strings without sanitization.
Reproduction
1. Log into the Croogo admin panel. 2. Navigate to create a new page. 3. Set the page's name to `
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- github.com/advisories/GHSA-r4h9-gv2m-9x97ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-1000510ghsaADVISORY
- github.com/croogo/croogo/issues/847ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.