CVE-2017-17948

Vulnerability

Cells Blog version 3.5 is vulnerable to a reflected cross-site scripting (XSS) attack in the /fotos/ endpoint when handling the act=showpic request. The jfdname parameter is not sanitized before being reflected in the response, allowing injection of arbitrary HTML and JavaScript. The official demo site was affected [1].

Exploitation

An attacker can craft a malicious URL that includes a payload in the jfdname parameter, such as "<svg/onload=alert(/xss/)>. No authentication or special privileges are required; the victim only needs to click the link or visit the crafted URL. The attack is reflected, so the payload is executed in the context of the vulnerable site.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser, leading to session hijacking, defacement, or theft of sensitive information. The attack is limited to reflected XSS, so no persistent compromise occurs on the server.

Mitigation

The vendor has not released a patch as of the publication date (2017-12-28). According to the reference, the software is "cell blog" and the vulnerable version is 3.5. Users should upgrade to a patched version or implement a web application firewall (WAF) that filters malicious input. Since no fix is mentioned, the vulnerability remains unpatched.