PatchSiren

PatchSiren cyber security CVE debrief

CVE-2017-5963 Caddy Project CVE debrief

CVE-2017-5963 is a cross-site scripting vulnerability in caddy for TYPO3 before 7.2.10. The issue stems from insufficient filtration of user-supplied data in the paymillToken HTTP POST parameter sent to the affected payment.php endpoint, allowing HTML and script execution in a browser in the context of the vulnerable website.

Vendor
Caddy Project
Product
CVE-2017-5963
CVSS
MEDIUM 6.1
CISA KEV
Not listed in stored evidence
Original CVE published
2017-02-12
Original CVE updated
2026-05-13
Advisory published
2017-02-12
Advisory updated
2026-05-13

Who should care

Administrators and developers running TYPO3 installations that include caddy before 7.2.10 should care most, especially if the Paymill payment flow is reachable by untrusted users. Security teams should also treat this as relevant anywhere authenticated users could be exposed to injected script content on the affected site.

Technical summary

According to the NVD record, the vulnerability is a CWE-79 cross-site scripting issue in caddy for TYPO3 before 7.2.10. User-controlled paymillToken input passed to caddy/Resources/Public/JavaScript/e-payment/paymill/api/php/payment.php was not filtered sufficiently, which could let an attacker inject arbitrary HTML and script code that executes in the browser under the site’s origin. NVD rates the issue CVSS 3.0 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating network reachability, no privileges required, and user interaction required.

Defensive priority

Medium priority. The flaw is remotely reachable and can affect user sessions and browser-side trust, but it requires user interaction and is scoped as XSS rather than direct server compromise. Remediate promptly if the affected payment endpoint is exposed to real users.

Recommended defensive actions

  • Upgrade caddy for TYPO3 to 7.2.10 or later, using the vendor-fixed release as the primary remediation.
  • Verify whether your deployment uses the affected Paymill payment path and whether the payment.php endpoint is reachable from untrusted input.
  • If immediate upgrading is not possible, add strict server-side validation and output encoding for paymillToken and any related response content.
  • Review session and browser-security hardening such as HttpOnly cookies, SameSite settings, and a restrictive Content Security Policy.
  • Inspect application logs and recent user reports for signs of script injection or abnormal browser behavior on the affected site.

Evidence notes

The core claim comes from the official CVE/NVD summary: caddy for TYPO3 before 7.2.10 allowed insufficient filtration of the paymillToken POST parameter at the referenced payment.php path, enabling arbitrary HTML/script execution in the browser. The NVD record also classifies the weakness as CWE-79 and provides the CVSS 3.0 vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The NVD record was last modified on 2026-05-13; that is metadata maintenance, not the vulnerability’s original disclosure date.

Official resources

CVE published on 2017-02-12. The supplied NVD record was last modified on 2026-05-13; treat that as record maintenance rather than the original issue date.