CVE-2018-12919

Vulnerability

A reflected cross-site scripting (XSS) vulnerability exists in CraftedWeb through 2013-09-24 in aasp_includes/pages/notice.php. The script directly echoes the user-supplied e GET parameter without sanitization, as shown in the vulnerable code on line 11: <?php echo $_GET['e']; ?> [1]. No authentication or special configuration is required for the vulnerable code path.

Exploitation

An attacker can craft a malicious URL containing the e parameter with a JavaScript payload, such as http://127.0.0.1/CraftedWeb/aasp_includes/pages/notice.php?e=1 [1]. The victim must be tricked into clicking the link or visiting the crafted URL. The attacker does not need any prior access to the application.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser within the context of the CraftedWeb domain. This can lead to session hijacking, credential theft, redirection to malicious sites, or defacement.

Mitigation

The project appears to be archived or unmaintained; no official patch has been released. Users should sanitize the e parameter (e.g., using htmlspecialchars() in PHP) or remove the vulnerable code. If the application is still in use, upgrading to a patched version or disabling the notice functionality is recommended.