CVE-2017-6491

Name of the Vulnerable Software and Affected Versions EPESI version 1.8.1.1

Description Multiple Cross-Site Scripting (XSS) issues were discovered due to insufficient filtration of user-supplied data, specifically tooltip id, callback, args, and cid, passed to the "/EPESI-master/modules/Utils/Tooltip/req.php" API endpoint. This allows an attacker to execute arbitrary HTML and script code in a browser in the context of the vulnerable website.

Recommendations For EPESI version 1.8.1.1, as a temporary workaround, consider restricting access to the "/EPESI-master/modules/Utils/Tooltip/req.php" API endpoint to minimize the risk of exploitation. Avoid using the parameters tooltip id, callback, args, and cid in this endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.