CVE-2017-15287

MEDIUM NUCLEI

Dreambox WebControl 2.0.0 - Cross-Site Scripting

Title source: nuclei

Exploitation Summary

EIP tracks 1 public exploit for CVE-2017-15287. PoCs published by Thiago Sena. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit demonstrates a stored XSS vulnerability in the BouquetEditor plugin of Dreambox 2.0.0. The PoC involves adding a new bouquet with a malicious script payload, which executes when accessed.

Description

There is XSS in the BouquetEditor WebPlugin for Dream Multimedia Dreambox devices, as demonstrated by the "Name des Bouquets" field, or the file parameter to the /file URI.

Exploits (1)

exploitdb WORKING POC

by Thiago Sena · textwebappshardware

https://www.exploit-db.com/exploits/42986

View Code ZIP pw:eip

This exploit demonstrates a stored XSS vulnerability in the BouquetEditor plugin of Dreambox 2.0.0. The PoC involves adding a new bouquet with a malicious script payload, which executes when accessed.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Dreambox 2.0.0

Auth required

Prerequisites: Access to the BouquetEditor plugin · Ability to add a new bouquet

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Dreambox WebControl 2.0.0 - Cross-Site Scripting

MEDIUMby pikpikcu

References (2)

Core 2

Core References

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/42986/

Exploit, Third Party Advisory x_refsource_misc

https://fireshellsecurity.team/assets/pdf/Vulnerability-XSS-Dreambox.pdf

Scores

CVSS v3 6.1

EPSS 0.0557

EPSS Percentile 91.8%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

bouqueteditor_project/bouqueteditor 2.0.0

Published Oct 12, 2017

Tracked Since Feb 18, 2026