CVE-2017-16635
Last modified
CVE-2017-16635 is a vulnerability of currently unknown severity. In TinyWebGallery v2.4, an XSS vulnerability is located in the `mkname`, `mkitem`, and `item` parameters of the `Add/Create` module. Remote attackers with low-privilege user accounts for backend access are able to inject malicious script codes into the `TWG Explorer` item listing. EPSS estimates a 0.78% chance of exploitation in the next 30 days.
Description
In TinyWebGallery v2.4, an XSS vulnerability is located in the `mkname`, `mkitem`, and `item` parameters of the `Add/Create` module. Remote attackers with low-privilege user accounts for backend access are able to inject malicious script codes into the `TWG Explorer` item listing. The request method to inject is POST and the attack vector is located on the application-side of the service. The injection point is the add/create input field and the execution point occurs in the item listing after the add or create.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Tinywebgallery | Tinywebgallery | 2.4 |
References
- https://www.vulnerability-lab.com/get_content.php?id=1997Issue Tracking, Third Party Advisory
- https://www.vulnerability-lab.com/get_content.php?id=1997Issue Tracking, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2017-16635?
How severe is CVE-2017-16635?
How do I fix CVE-2017-16635?
Are you affected by CVE-2017-16635?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST