5.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2017-20059

GHSA ID

GHSA-7f7g-8q3x-jpx9

EPSS Score

0.41918%

CWE

CWE-79

Published

6/21/2022

Updated

1/27/2023

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2017-20059

CVE-2017-20059: Cross site scripting in Elefant CMS

A vulnerability, which was classified as problematic, has been found in Elefant CMS 1.3.12-RC. Affected by this issue is some unknown functionality of the component Title Handler. The manipulation with the input </title><img src=no onerror=alert(1)> leads to basic cross site scripting (Persistent). The attack may be launched remotely. Upgrading to version 1.3.13 is able to address this issue. It is recommended to upgrade the affected component.

(GitHub Advisory)

5.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2017-20059

GHSA ID

GHSA-7f7g-8q3x-jpx9

EPSS Score

0.41918%

CWE

CWE-79

Published

6/21/2022

Updated

1/27/2023

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
elefant/cms	composer	< 1.3.13	1.3.13

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability patterns consistently show: 1) Lack of output encoding in title fields (</title> breakout) 2) Unencoded user-controlled values in admin interfaces 3) Template files directly echoing user input without escaping. While exact function names aren't provided, the persistent XSS mechanism implies vulnerable rendering functions in page/blog/user management components that handle title/output rendering without proper context-aware escaping.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**ility, w*i** w*s *l*ssi*i** *s pro*l*m*ti*, **s ***n *oun* in *l***nt *MS *.*.**-R*. *****t** *y t*is issu* is som* unknown *un*tion*lity o* t** *ompon*nt Titl* **n*l*r. T** m*nipul*tion wit* t** input </titl*><im* sr*=no on*rror=*l*rt(*)>

Reasoning

T** vuln*r**ility p*tt*rns *onsist*ntly s*ow: *) L**k o* output *n*o*in* in titl* *i*l*s (</titl*> *r**kout) *) Un*n*o*** us*r-*ontroll** v*lu*s in **min int*r****s *) T*mpl*t* *il*s *ir**tly ***oin* us*r input wit*out *s**pin*. W*il* *x**t `*un*tion

5.4

Basic Information

Concerned about an active attack path?

CVE-2017-20059: Cross site scripting in Elefant CMS

5.4

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI