// For flags

CVE-2017-16635

 

Severity Score

5.4
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

In TinyWebGallery v2.4, an XSS vulnerability is located in the `mkname`, `mkitem`, and `item` parameters of the `Add/Create` module. Remote attackers with low-privilege user accounts for backend access are able to inject malicious script codes into the `TWG Explorer` item listing. The request method to inject is POST and the attack vector is located on the application-side of the service. The injection point is the add/create input field and the execution point occurs in the item listing after the add or create.

En TinyWebGallery v2.4, una vulnerabilidad XSS se localiza en los parámetros "mkname", "mkitem" e "item" del módulo "Add/Create". Los atacantes remotos con cuentas de usuario con pocos privilegios para el acceso backend son capaces de inyectar códigos script maliciosos en el listado de ítems "TWG Explorer". El método de petición que se tendría que inyectar es POST y el vector de ataque se sitúa en el lado de la aplicación del servicio. El punto de inyección es el campo de entrada add/create y el punto de ejecución ocurre en el listado de ítems tras la adición o la creación.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
Attack Vector
Network
Attack Complexity
Medium
Authentication
Single
Confidentiality
None
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2017-11-06 CVE Reserved
  • 2017-11-06 CVE Published
  • 2024-06-09 EPSS Updated
  • 2024-08-05 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
References (1)
URL Tag Source
https://www.vulnerability-lab.com/get_content.php?id=1997 Issue Tracking
URL Date SRC
URL Date SRC
URL Date SRC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Tinywebgallery
Search vendor "Tinywebgallery"
 Tinywebgallery
Search vendor "Tinywebgallery" for product "Tinywebgallery"
 2.4
Search vendor "Tinywebgallery" for product "Tinywebgallery" and version "2.4"
-
Affected