CVE-2017-5494

MEDIUM

B2evolution < 6.8.3 - XSS

Title source: rule

Description

Multiple cross-site scripting (XSS) vulnerabilities in the file types table in b2evolution through 6.8.3 allow remote authenticated users to inject arbitrary web script or HTML via a .swf file in a (1) comment frame or (2) avatar frame.

References (3)

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/95452

[Issue Tracking, Patch, Third Party Advisory] https://github.com/b2evolution/b2evolution/commit/261dbd5b294e707af766691e65a177a290314a6e

View Patch ZIP pw:eip

[Issue Tracking, Patch, Third Party Advisory] https://github.com/b2evolution/b2evolution/issues/34

Scores

CVSS v3 5.4

EPSS 0.0022

EPSS Percentile 44.0%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Classification

CWE

CWE-79

Status published

Affected Products (2)

b2evolution/b2evolution < 6.8.3

n/a/n/a

Timeline

Published Jan 15, 2017

Tracked Since Feb 18, 2026