EUVD-2025-18347
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
Lifecycle Timeline
4Tags
Description
An input neutralization vulnerability in the Server Name form and API Key form components of Crafty Controller allows a remote, authenticated attacker to perform stored XSS via malicious form input.
Analysis
Stored cross-site scripting (XSS) vulnerability in Crafty Controller that allows authenticated attackers to inject malicious JavaScript through the Server Name form and API Key form components. An attacker with valid credentials can craft malicious input that persists in the application, executing arbitrary scripts in other users' browsers with the same security context. While CVSS 7.6 indicates high severity and the vulnerability requires low attack complexity with network accessibility, real-world risk is constrained by the requirement for prior authentication and user interaction.
Technical Context
This vulnerability represents a classic input validation and output encoding failure (CWE-79: Improper Neutralization of Input During Web Page Generation). The root cause is insufficient sanitization of user-supplied input in two form components—Server Name and API Key fields—before storing and rendering this data in HTML responses. Crafty Controller fails to implement proper output encoding (HTML entity encoding) or Content Security Policy (CSP) headers that would neutralize malicious script tags. When these form values are rendered server-side in subsequent page loads or administrative dashboards, the stored malicious payload executes in the context of the application domain, affecting any user who views the compromised data. The vulnerability chain: unsanitized input → database persistence → unencoded output → DOM execution.
Affected Products
Crafty Controller (specific affected versions not provided in description; typically all versions prior to patched release). CPE string likely follows: cpe:2.3:a:craftycontroller:crafty_controller:*:*:*:*:*:*:*:*. Affected components: Server Name form field and API Key form field in the administrative interface. Organizations running Crafty Controller for game server management or infrastructure control should verify their installed version against vendor advisories. Hosted/SaaS deployments of Crafty Controller and self-hosted installations with multiple administrators are highest-priority targets.
Remediation
1. IMMEDIATE: Update Crafty Controller to the latest patched version released by the vendor (specific version number requires vendor advisory—typically a minor/patch bump, e.g., 4.x.1 or 5.0.1). 2. VENDOR ADVISORY: Check official Crafty Controller GitHub repository (https://github.com/Arcadia-Digital/Crafty) for security advisories and patch release notes. 3. TEMPORARY MITIGATIONS (if patching is delayed): Restrict form access via network ACLs to trusted IP ranges; implement WAF rules to block script payloads in Server Name and API Key fields; audit existing form submissions for malicious payloads and purge corrupted records; disable API Key form temporarily if non-essential. 4. POST-PATCH: Conduct stored XSS payload sweep of database (search for script tags, event handlers in serialized form data); reset all API keys and server names; audit admin access logs for suspicious activity during exposure window.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today