PT-2017-17072 · Dotclear · Dotclear
Published
2017-03-05
·
Updated
2017-03-08
·
CVE-2017-6446
CVSS v3.1
6.1
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Dotclear version 2.11.2
Description
A cross-site scripting issue was found, affecting the "admin/blogs.php" and "admin/users.php" API endpoints, specifically the
sortby and order parameters.Recommendations
For Dotclear version 2.11.2, consider restricting access to the "admin/blogs.php" and "admin/users.php" endpoints until a fix is available, and avoid using the
sortby and order parameters in these endpoints to minimize the risk of exploitation.Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Dotclear