CVE-2017-5963

Name of the Vulnerable Software and Affected Versions caddy versions prior to 7.2.10

Description The issue is caused by insufficient filtration of user-supplied data in the paymillToken HTTP POST parameter passed to the "caddy/Resources/Public/JavaScript/e-payment/paymill/api/php/payment.php" API endpoint. This allows an attacker to execute arbitrary HTML and script code in a browser in the context of the vulnerable website.

Recommendations For versions prior to 7.2.10, update to version 7.2.10 or later to resolve the issue. As a temporary workaround, consider restricting access to the "caddy/Resources/Public/JavaScript/e-payment/paymill/api/php/payment.php" API endpoint to minimize the risk of exploitation. Avoid using the paymillToken parameter in the affected API endpoint until the issue is resolved.