CVE-2017-7296
Description
An issue was discovered in Contiki Operating System 3.0. A Persistent XSS vulnerability is present in the MQTT/IBM Cloud Config page (aka mqtt.html) of cc26xx-web-demo. The cc26xx-web-demo features a webserver that runs on a constrained device. That particular page allows a user to remotely configure that device's operation by sending HTTP POST requests. The vulnerability consists of improper input sanitisation of the text fields on the MQTT/IBM Cloud config page, allowing for JavaScript code injection.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Persistent XSS in Contiki OS 3.0's MQTT config page allows remote attackers to inject arbitrary JavaScript via unsanitized POST parameters.
Vulnerability
A persistent cross-site scripting (XSS) vulnerability exists in the MQTT/IBM Cloud Config page (mqtt.html) of the cc26xx-web-demo application in Contiki Operating System 3.0 [1]. The page accepts HTTP POST requests to configure the device, but fails to sanitize user-supplied input in text fields, allowing arbitrary JavaScript code to be stored and later executed in the browser of any user viewing the configuration page.
Exploitation
An attacker can send a crafted HTTP POST request to the vulnerable mqtt.html endpoint with malicious JavaScript embedded in one or more text fields. No authentication is required, as the web interface is typically exposed on the local network. The injected script is stored and executed when an administrator or other user accesses the configuration page, triggering the payload in the context of the web application.
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser within the security context of the device's web interface. This can lead to session hijacking, credential theft, unauthorized configuration changes, or further attacks against the local network. The impact is limited to the web interface and does not directly compromise the underlying Contiki OS.
Mitigation
As of the publication date, no official patch has been released for Contiki OS 3.0. Users should restrict network access to the web interface (e.g., via firewall rules) and avoid exposing it to untrusted networks. If possible, disable the MQTT/IBM Cloud configuration functionality or upgrade to a patched version if one becomes available.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2cpe:2.3:o:contiki-os:contiki:3.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:contiki-os:contiki:3.0:*:*:*:*:*:*:*
- (no CPE)range: =3.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- www.securityfocus.com/bid/98790nvdThird Party AdvisoryVDB Entry
- gist.github.com/jackmcbride/c9328627f1ee104ce84f3fb7eff42f1envdThird Party Advisory
News mentions
0No linked articles in our index yet.