CVE-2017-18286
Description
nZEDb v0.7.3.3 has a cross-site scripting vulnerability in the 404 error page via unsanitized URL output.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
nZEDb v0.7.3.3 has a cross-site scripting vulnerability in the 404 error page via unsanitized URL output.
## Vulnerability nZEDb version 0.7.3.3 contains a cross-site scripting (XSS) vulnerability in the 404 error page. The $page variable is printed without sanitization in BasePage.php at line 297, allowing injection of arbitrary HTML and JavaScript. [1][4]
Exploitation
An attacker can craft a URL containing malicious JavaScript code, such as ``. When a victim visits the crafted URL, the malicious script executes in the context of the nZEDb site. No authentication is required. [1][4]
Impact
A successful XSS attack allows the attacker to execute arbitrary JavaScript in the victim's browser, potentially leading to session theft, defacement, or theft of sensitive information. [1][4]
Mitigation
The nZEDb project is no longer actively maintained [2]. As a workaround, administrators should apply a filter like htmlspecialchars() to the $page variable in BasePage.php. However, no official patch has been released. [4]
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
nzedb/nzedbPackagist | < 0.8.0.0 | 0.8.0.0 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing output encoding of user-controllable input in the 404 error page allows cross-site scripting."
Attack vector
An attacker can craft a URL that triggers a 404 error on the nZEDb site and includes malicious JavaScript in the URL path or query string. Because the 404 error page does not sanitize user-controllable input before rendering it in the HTML output, the injected script executes in the victim's browser context [CWE-79]. No authentication is required; the attacker simply needs to lure a victim to visit the crafted URL.
Affected code
The vulnerability is in the 404 error page of nZEDb v0.7.3.3. The advisory does not specify the exact file or function responsible for rendering the 404 page, but the error page fails to neutralize user-controllable input before outputting it.
What the fix does
No patch is provided in the bundle. The advisory [ref_id=1] indicates nZEDb is no longer actively maintained, so no official fix has been published. To remediate, the 404 error page should properly encode or escape all user-supplied input (such as the requested URL or query parameters) before including it in the HTML response, preventing script injection.
Preconditions
- inputThe attacker must be able to craft a URL that triggers a 404 error on the nZEDb site.
- networkThe victim must visit the crafted URL in a browser.
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-h847-63fg-vm6cghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-18286ghsaADVISORY
- github.com/nZEDb/nZEDb/issues/2512ghsaWEB
- github.com/nZEDb/nZEDb/pull/2513/commits/ca78b0840d98b9a09eef74ba6121a9c6143a7f44ghsaWEB
- packetstormsecurity.com/files/143725/nZEDb-0.7.3.3-Cross-Site-Scripting.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.