VYPR
← All advisories
Moderate severityNVD Advisory· Published Jan 4, 2018· Updated Sep 17, 2024

CVE-2017-17837

CVE-2017-17837

Description

Apache DeltaSpike-JSF 1.8.0 has an XSS injection vulnerability in windowId handling; fixed in 1.8.1.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Apache DeltaSpike-JSF 1.8.0 has an XSS injection vulnerability in windowId handling; fixed in 1.8.1.

Vulnerability

Apache DeltaSpike-JSF 1.8.0 module suffers from a cross-site scripting (XSS) injection vulnerability in the windowId handling within WindowIdHtmlRenderer.java. The windowId parameter is written directly into a JavaScript context without sanitization, allowing injection of arbitrary HTML or script code. The default maxWindowIdLength truncates the value to 10 characters, which limits the potential for crafted payloads but does not eliminate the risk. The issue is specific to version 1.8.0 [1][2].

Exploitation

An attacker can exploit this vulnerability by providing a crafted windowId value, for example via a URL parameter or other untrusted input, that is processed by the JSF component. The value is inserted into a JavaScript block rendered by encodeBegin(). No special network position or authentication is required beyond the ability to inject a value into the windowId field. If the injected string contains JavaScript code within the 10-character limit (or if the limit is overridden), XSS could be triggered when the page is rendered [2][3].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to disclosure of sensitive information, session hijacking, or defacement of the application UI. The impact is limited by the default character truncation, but in environments where the maxWindowIdLength is increased or the payload fits within 10 characters, the attack is fully effective [1][2].

Mitigation

The vulnerability is fixed in Apache DeltaSpike 1.8.1, released in January 2018. The fix changes the encodeBegin() method to use writeText() instead of direct string concatenation, which properly escapes the windowId value [3][4]. Users should upgrade to DeltaSpike 1.8.1 or later. No workaround is provided for version 1.8.0.

References
  1. NVD - CVE-2017-17837
  2. [DELTASPIKE-1307] Deltaspike JSF: XSS WindowIdHtmlRenderer.java
  3. DELTASPIKE-1307 escape windowId · apache/deltaspike@4e25023
  4. DELTASPIKE-1307 escape windowId · apache/deltaspike@4e25023

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.apache.deltaspike.modules:jsf-module-projectMaven
< 1.8.11.8.1

Affected products

2

Patches

1
4e2502358526

DELTASPIKE-1307 escape windowId

https://github.com/apache/deltaspikeMark StrubergDec 20, 2017via ghsa
commit
1 file changed · +3 1
  • deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/component/window/WindowIdHtmlRenderer.java+3 1 modified
    @@ -77,7 +77,9 @@ public void encodeBegin(FacesContext context, UIComponent component) throws IOEx
         ResponseWriter writer = context.getResponseWriter();
         writer.write("<script type=\"text/javascript\">");
         writer.write("(function(){");
-        writer.write("dswh.init('" + windowId + "','"
+        writer.write("dswh.init('");
+        writer.writeText(windowId, null);
+        writer.write("','"
                 + clientWindowRenderMode.name() + "',"
                 + maxWindowIdLength + ",{");

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

10

News mentions

0

No linked articles in our index yet.