CVE-2018-16450

Vulnerability

CraftedWeb through 2013-09-24 suffers from reflected cross-site scripting (XSS) in the p parameter. The application does not sanitize user-supplied input before reflecting it in the response, allowing injection of arbitrary HTML and JavaScript. Affected versions: all versions up to and including 2013-09-24 [1].

Exploitation

An attacker can craft a malicious URL with a p parameter containing a XSS payload, such as http://192.168.98.123/www/aaaCraftedWeb-1-master/?p=news%3C/title%3E%3CScRiPt%20%3Ealert(0)%3C/ScRiPt%3E. When a victim visits this URL, the injected script executes in the context of the affected site, without requiring authentication or user interaction beyond clicking the link [1].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser. This can lead to session hijacking, defacement, theft of sensitive data, or other malicious actions that depend on the user's session and the application's domain.

Mitigation

As of the publication date (2018-09-04), no patch or official fix has been identified. Users should consider upgrading or applying web application firewall rules to filter malicious p parameter values. If the software is no longer maintained, migration to an alternative is recommended.