CVE-2017-14077

MEDIUM

Securimage < 3.6.4 - HTML Injection via HTTP_USER_AGENT Parameter

Title source: llm
STIX 2.1

Description

HTML Injection in Securimage 3.6.4 and earlier allows remote attackers to inject arbitrary HTML into an e-mail message body via the $_SERVER['HTTP_USER_AGENT'] parameter to example_form.ajax.php or example_form.php.

References (2)

Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://www.checkmarx.com/advisories/html-injection-securimage/
Vendor Advisory x_refsource_misc
https://advisory.checkmarx.net/advisory/CX-2017-4223

Scores

CVSS v3 6.1
EPSS 0.0081
EPSS Percentile 52.4%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-94
Status published
Products (2)
dapphp/securimage 0 - 3.6.6Packagist
phpcaptcha/securimage < 3.6.4
Published Nov 18, 2017
Tracked Since Feb 18, 2026