Elefant CMS 1.3.12-RC username Persistent cross site scripting

EntryHistoryDiffjsonxmlCTI

A vulnerability classified as problematic has been found in Elefant CMS 1.3.12-RC. Affected is an unknown function. The manipulation of the argument username leads to basic cross site scripting (Persistent). Using CWE to declare the problem leads to CWE-80. The weakness was shared 02/16/2017 by Tim Coen with Curesec Research Team as Elefant CMS 1.3.12-RC: Multiple Persistent and Reflected XSS as Mailinglist Post (Full-Disclosure). The advisory is available at seclists.org. This vulnerability is traded as CVE-2017-20057. It is possible to launch the attack remotely. Technical details are available. There is no exploit available. The structure of the vulnerability defines a possible price range of USD $0-$5k at the moment. This vulnerability is assigned to T1059.007 by the MITRE ATT&CK project. It is declared as not defined. The vulnerability was handled as a non-public zero-day exploit for at least 283 days. As 0-day the estimated underground price was around $0-$5k. Upgrading to version 1.3.13 is able to address this issue. It is recommended to upgrade the affected component. A possible mitigation has been published before and not just after the disclosure of the vulnerability.

Field	02/24/2017 15:42	08/17/2020 09:23	06/18/2022 16:18
vendor	Elefant	Elefant	Elefant
name	CMS	CMS	CMS
version	1.3.12-RC	1.3.12-RC	1.3.12-RC
argument	username	username	username
vendorinformdate	1462752000	1462752000	1462752000
risk	1	1	1
cvss2_vuldb_basescore	5.0	5.0	5.0
cvss2_vuldb_tempscore	3.9	3.9	3.9
cvss2_vuldb_av	N	N	N
cvss2_vuldb_ac	L	L	L
cvss2_vuldb_au	N	N	N
cvss2_vuldb_ci	N	N	N
cvss2_vuldb_ii	P	P	P
cvss2_vuldb_ai	N	N	N
cvss2_researcher_av	N	N	N
cvss2_researcher_ac	L	L	L
cvss2_researcher_au	N	N	N
cvss2_researcher_ci	N	N	N
cvss2_researcher_ii	P	P	P
cvss2_researcher_ai	N	N	N
cvss3_meta_basescore	4.3	4.3	4.3
cvss3_meta_tempscore	3.8	3.8	3.8
cvss3_vuldb_basescore	4.3	4.3	4.3
cvss3_vuldb_tempscore	3.8	3.8	3.8
cvss3_vuldb_av	N	N	N
cvss3_vuldb_ac	L	L	L
cvss3_vuldb_pr	N	N	N
cvss3_vuldb_ui	R	R	R
cvss3_vuldb_s	U	U	U
cvss3_vuldb_c	N	N	N
cvss3_vuldb_i	L	L	L
cvss3_vuldb_a	N	N	N
titleword	Persistent	Persistent	Persistent
date	1487203200 (02/16/2017)	1487203200 (02/16/2017)	1487203200 (02/16/2017)
location	Full-Disclosure	Full-Disclosure	Full-Disclosure
type	Mailinglist Post	Mailinglist Post	Mailinglist Post
url	http://seclists.org/fulldisclosure/2017/Feb/36	http://seclists.org/fulldisclosure/2017/Feb/36	http://seclists.org/fulldisclosure/2017/Feb/36
identifier	Elefant CMS 1.3.12-RC: Multiple Persistent and Reflected XSS	Elefant CMS 1.3.12-RC: Multiple Persistent and Reflected XSS	Elefant CMS 1.3.12-RC: Multiple Persistent and Reflected XSS
person_name	Tim Coen	Tim Coen	Tim Coen
company_name	Curesec Research Team	Curesec Research Team	Curesec Research Team
price_0day	$0-$5k	$0-$5k	$0-$5k
name	Upgrade	Upgrade	Upgrade
upgrade_version	1.3.13	1.3.13	1.3.13
seealso	97255 97256 97257 97258	97255 97256 97257 97258	97255 97256 97257 97258
cvss2_vuldb_e	ND	ND	ND
cvss2_vuldb_rl	OF	OF	OF
cvss2_vuldb_rc	UC	UC	UC
cvss3_vuldb_e	X	X	X
cvss3_vuldb_rl	O	O	O
cvss3_vuldb_rc	U	U	U
0day_days	283	283	283
type		Content Management System	Content Management System
cwe	0	80 (cross site scripting)	80 (cross site scripting)
cve			CVE-2017-20057
responsible			VulDB
cvss2_researcher_basescore			5.0

◂ Previous Overview Next ▸

Interested in the pricing of exploits?

See the underground prices here!