CVE-2017-7997

CRITICAL

gespage < 7.4.9 - SQL Injection via show_prn or show_month Parameter

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2017-7997. PoCs published by Sysdream, tnpitsecurity.

AI-analyzed exploit summary This exploit demonstrates a SQL injection vulnerability in Gespage, allowing authenticated attackers to execute stacked queries, including time-based delays and password updates. The provided Python script automates the process of changing the admin password via SQL injection.

Description

Multiple SQL injection vulnerabilities in Gespage before 7.4.9 allow remote attackers to execute arbitrary SQL commands via the (1) show_prn parameter to webapp/users/prnow.jsp or show_month parameter to (2) webapp/users/blhistory.jsp or (3) webapp/users/prhistory.jsp.

Exploits (2)

exploitdb WORKING POC

by Sysdream · textwebappsjsp

https://www.exploit-db.com/exploits/43447

View Code ZIP pw:eip

This exploit demonstrates a SQL injection vulnerability in Gespage, allowing authenticated attackers to execute stacked queries, including time-based delays and password updates. The provided Python script automates the process of changing the admin password via SQL injection.

Classification

Working Poc 100%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: Gespage versions up to 7.4.8

Auth required

Prerequisites: Authenticated user session (JSESSIONID cookie) · Access to vulnerable Gespage web interface

MITRE ATT&CK

T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

github WRITEUP 4 stars

by tnpitsecurity · poc

https://github.com/tnpitsecurity/CVEs/tree/master/CVE-2017-7997

View Code ZIP pw:eip

The repository provides a detailed technical analysis of CVE-2017-7998, a stored and reflected XSS vulnerability in Gespage. It includes proof-of-concept examples, affected versions, and a timeline of disclosure.

Classification

Writeup 100%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Gespage versions up to 7.4.9

Auth required

Prerequisites: Access to admin panel for stored XSS · Valid session for reflected XSS

MITRE ATT&CK

T1059.007 - JavaScript T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 27, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit, Mailing List, Third Party Advisory mailing-list x_refsource_fulldisc

http://seclists.org/fulldisclosure/2018/Jan/14

Exploit, Third Party Advisory x_refsource_misc

https://sysdream.com/news/lab/2018-01-02-cve-2017-7997-gespage-sql-injection-vulnerability/

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/43447/

Scores

CVSS v3 9.8

EPSS 0.1969

EPSS Percentile 97.0%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-89

Status published

Products (1)

gespage/gespage < 7.4.9

Published Jan 08, 2018

Tracked Since Feb 18, 2026