6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2017-20058

GHSA ID

GHSA-5hfm-g799-wjw6

EPSS Score

0.45577%

CWE

CWE-79

Published

6/21/2022

Updated

1/27/2023

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2017-20058

CVE-2017-20058: Cross site scripting in Elefant CMS

A vulnerability classified as problematic was found in Elefant CMS 1.3.12-RC. Affected by this vulnerability is an unknown functionality of the component Version Comparison. The manipulation leads to basic cross site scripting (Persistent). The attack can be launched remotely. Upgrading to version 1.3.13 is able to address this issue. It is recommended to upgrade the affected component.

(GitHub Advisory)

6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2017-20058

GHSA ID

GHSA-5hfm-g799-wjw6

EPSS Score

0.45577%

CWE

CWE-79

Published

6/21/2022

Updated

1/27/2023

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
elefant/cms	composer	< 1.3.13	1.3.13

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from two key areas: 1) The version comparison feature displays user-controllable data without proper escaping (as evidenced by PoC URLs like /admin/compare?id=8&current=no). The render_diff function is central to this component. 2) User profile fields are stored without adequate sanitization and reflected in admin views. While the exact function names aren't specified in disclosures, Elefant's MVC structure suggests these handlers would be responsible. The 'high' confidence for render_diff aligns with the CVE's focus on version comparison, while user profile handling receives 'medium' confidence due to indirect evidence in disclosure details.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**ility *l*ssi*i** *s pro*l*m*ti* w*s *oun* in *l***nt *MS *.*.**-R*. *****t** *y t*is vuln*r**ility is *n unknown *un*tion*lity o* t** *ompon*nt V*rsion *omp*rison. T** m*nipul*tion l***s to **si* *ross sit* s*riptin* (P*rsist*nt). T** *tt**

Reasoning

T** vuln*r**ility st*ms *rom two k*y *r**s: *) T** v*rsion *omp*rison ***tur* *ispl*ys us*r-*ontroll**l* **t* wit*out prop*r *s**pin* (*s *vi**n*** *y Po* URLs lik* /**min/*omp*r*?i*=*&*urr*nt=no). T** r*n**r_*i** *un*tion is **ntr*l to t*is *ompon*n

6.1

Basic Information

Concerned about an active attack path?

CVE-2017-20058: Cross site scripting in Elefant CMS

6.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI