CVE-2017-14620

MEDIUM

SmarterStats 11.3.6347 - Stored Cross-Site Scripting via Referer Field in HTTP Logfiles

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2017-14620. PoCs published by sqlhacker.

AI-analyzed exploit summary This exploit demonstrates a stored DOM-based XSS vulnerability in SmarterStats 11.3.6347 by injecting malicious HTML into the Referer field of HTTP logfiles, which is then rendered in the ReferringURLsWithQueries report.

Description

SmarterStats Version 11.3.6347 will Render the Referer Field of HTTP Logfiles from URL /Data/Reports/ReferringURLsWithQueries resulting in Stored Cross Site Scripting.

Exploits (1)

exploitdb WORKING POC

by sqlhacker · textwebappsaspx

https://www.exploit-db.com/exploits/42923

View Code ZIP pw:eip

This exploit demonstrates a stored DOM-based XSS vulnerability in SmarterStats 11.3.6347 by injecting malicious HTML into the Referer field of HTTP logfiles, which is then rendered in the ReferringURLsWithQueries report.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Moderate

Reliability

Reliable

Target: SmarterStats Version 11.3.6347

No auth needed

Prerequisites: HTTP Proxy (BurpSuite, Fiddler) · Web Browser (Chrome) · User Interaction Required · Supported Windows OS · Microsoft .NET 4.5

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/42923/

Exploit, Third Party Advisory x_refsource_misc

http://xss.cx/cve/2017/14620/smarterstats.v11-3-6347.html

Scores

CVSS v3 6.1

EPSS 0.0247

EPSS Percentile 82.4%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

smartertools/smarterstats 11.3.6347

Published Sep 30, 2017

Tracked Since Feb 18, 2026