CVE-2017-7296

Name of the Vulnerable Software and Affected Versions Contiki Operating System version 3.0

Description A Persistent XSS issue is present in the MQTT/IBM Cloud Config page of cc26xx-web-demo, which features a webserver running on a constrained device. This page allows users to remotely configure the device's operation by sending HTTP POST requests. The issue consists of improper input sanitization of the text fields on the MQTT/IBM Cloud config page, allowing for JavaScript code injection.

Recommendations For Contiki Operating System version 3.0, as a temporary workaround, consider disabling the MQTT/IBM Cloud Config page (aka mqtt.html) in the cc26xx-web-demo until a patch is available. Restrict access to the cc26xx-web-demo webserver to minimize the risk of exploitation. Avoid using the text fields on the MQTT/IBM Cloud config page until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.