Critical Vulnerability Information Vendor: mistserver.org Product: MistServer v2.12 Vulnerability Type: Unauthenticated Persistent XSS CVE ID: CVE-2017-16884 Security Issue: Unauthorized remote attackers can inject persistent XSS payloads by sending failed HTTP authentication requests. The attacker-supplied payloads are stored in server logs, and due to the UI's auto-refresh feature, MistServer automatically echoes these un-sanitized payloads in the web interface, leading to execution of arbitrary attacker-provided code. Network Access: Remote Severity: High Disclosure Timeline: - Vendor Notification: October 19, 2017 - Vendor Confirmation: October 20, 2017 - Vendor Patch Release: November 30, 2017 - Public Disclosure: December 1, 2017 Exploitation Examples Exploiting this vulnerability allows attackers to inject malicious code, load malware, or steal logs from the target server.