CVE-2017-17714

Vulnerability

Trape versions before 2017-11-05 (Community and Professional) are vulnerable to reflected cross-site scripting (XSS) in the /nr, /register, and /tping endpoints. The vulnerable parameters include red and vId in /nr; User-Agent HTTP header, country, countryCode, cpu, isp, lat, lon, org, query, region, regionName, timezone, vId, and zip in /register; and id in /tping [1][2]. Input from these parameters is not properly sanitized before being reflected in the response, allowing arbitrary HTML or JavaScript injection.

Exploitation

An attacker can exploit this vulnerability by crafting a malicious URL or HTTP request containing JavaScript payloads in any of the listed parameters. The victim must be tricked into visiting the crafted URL or sending a request that includes the malicious payload (e.g., via a link or by manipulating the User-Agent). The server then reflects the payload in the response, which executes in the victim's browser. No authentication is required to trigger the XSS, but the victim must have access to the trape web interface.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser session with the trape application. This can lead to session hijacking, theft of sensitive data displayed in the interface (e.g., tracking information), or performing actions on behalf of the victim. The scope is limited to the trape application's domain and the privileges of the victim user.

Mitigation

The vulnerability is fixed in versions released after 2017-11-05. Users should update to the latest version of trape. The relevant commit [1] addresses the underlying input handling issues. No other workarounds are documented; users are advised to restrict access to the trape web interface to trusted networks only.