CVE-2019-10779

MEDIUM

Stroom < 5.5.12 and 6.0.0-6.0.25 - Cross-Site Scripting via Hidden Iframe

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-10779. PoCs published by RepublicR0K.

AI-analyzed exploit summary The repository contains only a minimal README describing CVE-2019-10779 as an XSS vulnerability in GCHQ Stroom but lacks any functional exploit code or technical details.

Description

All versions of stroom:stroom-app before 5.5.12 and all versions of the 6.0.0 branch before 6.0.25 are affected by Cross-site Scripting. An attacker website is able to load the Stroom UI into a hidden iframe. Using that iframe, the attacker site can issue commands to the Stroom UI via an XSS vulnerability to take full control of the Stroom UI on behalf of the logged-in user.

Exploits (1)

nomisec STUB 2 stars

by RepublicR0K · poc

https://github.com/RepublicR0K/CVE-2019-10779

View Code ZIP pw:eip

The repository contains only a minimal README describing CVE-2019-10779 as an XSS vulnerability in GCHQ Stroom but lacks any functional exploit code or technical details.

Classification

Stub 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Theoretical

Target: GCHQ Stroom

No auth needed

Prerequisites: Access to a vulnerable Stroom instance

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (1)

Core 1

Core References

Exploit, Third Party Advisory x_refsource_confirm

https://snyk.io/vuln/SNYK-JAVA-STROOM-541182

Scores

CVSS v3 6.1

EPSS 0.0029

EPSS Percentile 52.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

gchq/stroom < 5.5.12

Published Jan 28, 2020

Tracked Since Feb 18, 2026