CVE-2017-15683
Description
Unauthenticated attacker can create a site with crafted XML to retrieve OS files out-of-band in Crafter CMS Crafter Studio 3.0.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated attacker can create a site with crafted XML to retrieve OS files out-of-band in Crafter CMS Crafter Studio 3.0.1.
Vulnerability
Overview
In Crafter CMS Crafter Studio version 3.0.1, an unauthenticated attacker is able to create a site with specially crafted XML. This XML, when processed, triggers an out-of-band retrieval of arbitrary OS files, allowing the attacker to exfiltrate sensitive data from the server's file system [1].
Attack
Vector
The vulnerability can be exploited without any prior authentication. The attacker leverages the site creation functionality to inject malicious XML content. The crafted XML is designed to cause the server to fetch or read files outside the intended scope, returning them through an out-of-band channel [1].
Impact
Successful exploitation leads to unauthorized reading of operating system files, such as configuration files, credentials, or other sensitive data. This information disclosure could serve as a stepping stone for further attacks against the affected Crafter CMS instance [1].
Mitigation
At the time of publication, no specific patch or mitigation details are provided in the official description. Users should monitor vendor communications for updates and consider applying security best practices, such as restricting network access to the Crafter Studio interface and validating any XML input [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.craftercms:crafter-coreMaven | >= 3.0.0, < 3.0.1 | 3.0.1 |
Affected products
2- Crafter CMS/Crafter Studiodescription
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
4- github.com/advisories/GHSA-p2vm-88rg-wfr2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-15683ghsaADVISORY
- crafter.commitrex_refsource_MISC
- docs.craftercms.org/en/3.0/security/advisory.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.