6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2017-20057

GHSA ID

GHSA-xwj7-29j7-rw76

EPSS Score

0.45577%

CWE

CWE-79

Published

6/21/2022

Updated

1/27/2023

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2017-20057

CVE-2017-20057: Cross site scripting in Elefant CMS

A vulnerability classified as problematic has been found in Elefant CMS 1.3.12-RC. Affected is an unknown function. The manipulation of the argument username leads to basic cross site scripting (Persistent). It is possible to launch the attack remotely. Upgrading to version 1.3.13 is able to address this issue. It is recommended to upgrade the affected component.

(GitHub Advisory)

6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2017-20057

GHSA ID

GHSA-xwj7-29j7-rw76

EPSS Score

0.45577%

CWE

CWE-79

Published

6/21/2022

Updated

1/27/2023

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
elefant/cms	composer	< 1.3.13	1.3.13

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from unsanitized username input handling and unescaped output in admin interfaces. Key evidence includes: 1) The PoC shows XSS triggers in user edit pages (/user/edit) and version comparisons (/admin/versions), implicating these handlers. 2) Persistent XSS requires both storage and unsafe rendering - User::save likely stores raw input while template rendering functions fail to escape it. 3) The CMS's admin interface structure suggests these are core user management components. While exact code isn't available, the attack pattern and Elefant's MVC architecture strongly indicate these functions as vulnerable points.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**ility *l*ssi*i** *s pro*l*m*ti* **s ***n *oun* in *l***nt *MS *.*.**-R*. *****t** is *n unknown *un*tion. T** m*nipul*tion o* t** *r*um*nt us*rn*m* l***s to **si* *ross sit* s*riptin* (P*rsist*nt). It is possi*l* to l*un** t** *tt**k r*mot*

Reasoning

T** vuln*r**ility st*ms *rom uns*nitiz** us*rn*m* input **n*lin* *n* un*s**p** output in **min int*r****s. K*y *vi**n** in*lu**s: *) T** Po* s*ows XSS tri***rs in us*r **it p***s (`/us*r/**it`) *n* v*rsion *omp*risons (`/**min/v*rsions`), impli**tin*

6.1

Basic Information

Concerned about an active attack path?

CVE-2017-20057: Cross site scripting in Elefant CMS

6.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI