CVE-2017-6487

Name of the Vulnerable Software and Affected Versions EPESI version 1.8.1.1

Description Multiple Cross-Site Scripting (XSS) issues were discovered due to insufficient filtration of user-supplied data passed to the "EPESI-master/modules/Utils/RecordBrowser/favorites.php" URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website. The vulnerabilities exist due to insufficient filtration of variables such as state, element, id, tab, and cid.

Recommendations For EPESI version 1.8.1.1, consider disabling access to the "EPESI-master/modules/Utils/RecordBrowser/favorites.php" URL until a patch is available. Restrict the use of variables state, element, id, tab, and cid to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.