CVE-2017-8384

MEDIUM

Craftcms Craft Cms < 2.6.2974 - XSS

Title source: rule

Description

Craft CMS before 2.6.2976 allows XSS attacks because an array returned by HttpRequestService::getSegments() and getActionSegments() need not be zero-based. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-8052.

References (2)

[Release Notes, Vendor Advisory] https://craftcms.com/changelog#2-6-2976

[Vendor Advisory] https://twitter.com/CraftCMS/status/857743080224473088

Scores

CVSS v3 6.1

EPSS 0.0031

EPSS Percentile 53.6%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Classification

CWE

CWE-79

Status published

Affected Products (3)

craftcms/craft_cms < 2.6.2974

craftcms/cms < 2.6.2976Packagist

n/a/n/a

Timeline

Published May 01, 2017

Tracked Since Feb 18, 2026