5.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2017-20060

GHSA ID

GHSA-4453-g295-24mh

EPSS Score

0.41918%

CWE

CWE-79

Published

6/21/2022

Updated

1/27/2023

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2017-20060

CVE-2017-20060: Cross site scripting in Elefant CMS

A vulnerability, which was classified as problematic, was found in Elefant CMS 1.3.12-RC. This affects an unknown part of the component Blog Post Handler. The manipulation leads to basic cross site scripting (Persistent). It is possible to initiate the attack remotely. Upgrading to version 1.3.13 is able to address this issue. It is recommended to upgrade the affected component.

(GitHub Advisory)

5.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2017-20060

GHSA ID

GHSA-4453-g295-24mh

EPSS Score

0.41918%

CWE

CWE-79

Published

6/21/2022

Updated

1/27/2023

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
elefant/cms	composer	< 1.3.13	1.3.13

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from unescaped output of user-controlled data (blog post titles/tags) in the Blog Post Handler. The Full Disclosure PoC explicitly shows that malicious titles/tags are stored and rendered in multiple contexts (e.g., <title>, <h1>, href attributes). Functions handling persistence (save()) and rendering (render()) are the most likely candidates. While exact code isn't available, Elefant's MVC structure and the component's description strongly suggest these functions are involved in the insecure handling of user input.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**ility, w*i** w*s *l*ssi*i** *s pro*l*m*ti*, w*s *oun* in *l***nt *MS *.*.**-R*. T*is *****ts *n unknown p*rt o* t** *ompon*nt *lo* Post **n*l*r. T** m*nipul*tion l***s to **si* *ross sit* s*riptin* (P*rsist*nt). It is possi*l* to initi*t* t

Reasoning

T** vuln*r**ility st*ms *rom un*s**p** output o* us*r-*ontroll** **t* (*lo* post titl*s/t**s) in t** *lo* Post **n*l*r. T** *ull *is*losur* Po* *xpli*itly s*ows t**t m*li*ious titl*s/t**s *r* stor** *n* r*n**r** in multipl* *ont*xts (*.*., <titl*>, <

5.4

Basic Information

Concerned about an active attack path?

CVE-2017-20060: Cross site scripting in Elefant CMS

5.4

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI