CVE-2017-6490

Name of the Vulnerable Software and Affected Versions EPESI version 1.8.1.1

Description Multiple Cross-Site Scripting (XSS) issues were discovered due to insufficient filtration of user-supplied data passed to the "EPESI-master/modules/Utils/RecordBrowser/grid.php" URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website. The vulnerable parameters include cid, value, element, mode, tab, form name, and id.

Recommendations For EPESI version 1.8.1.1, consider disabling access to the "EPESI-master/modules/Utils/RecordBrowser/grid.php" URL until a patch is available. Restrict the use of the vulnerable parameters cid, value, element, mode, tab, form name, and id to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.