A vulnerability classified as problematic has been found in Elefant CMS 1.3.12-RC. Affected is an unknown function. The manipulation of the argument username leads to basic cross site scripting (Persistent). Using CWE to declare the problem leads to CWE-80. The weakness was shared 02/16/2017 by Tim Coen with Curesec Research Team as Elefant CMS 1.3.12-RC: Multiple Persistent and Reflected XSS as Mailinglist Post (Full-Disclosure). The advisory is available at seclists.org. This vulnerability is traded as CVE-2017-20057. It is possible to launch the attack remotely. Technical details are available. There is no exploit available. The structure of the vulnerability defines a possible price range of USD $0-$5k at the moment. This vulnerability is assigned to T1059.007 by the MITRE ATT&CK project. It is declared as not defined. The vulnerability was handled as a non-public zero-day exploit for at least 283 days. As 0-day the estimated underground price was around $0-$5k. Upgrading to version 1.3.13 is able to address this issue. It is recommended to upgrade the affected component. A possible mitigation has been published before and not just after the disclosure of the vulnerability.