PatchSiren cyber security CVE debrief

CVE-2017-5494 B2evolution CVE debrief

CVE-2017-5494 describes multiple cross-site scripting (XSS) vulnerabilities in b2evolution through 6.8.3. According to the NVD record, a remote authenticated user can inject arbitrary web script or HTML through a .swf file in either a comment frame or an avatar frame. The issue is rated CVSS 3.0 5.4 (medium) with network attack vector, low privileges required, and user interaction required.

Vendor: B2evolution
Product: CVE-2017-5494
CVSS: MEDIUM 5.4
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-15
Original CVE updated: 2026-05-13
Advisory published: 2017-01-15
Advisory updated: 2026-05-13

Who should care

Administrators and maintainers of b2evolution sites, especially deployments that allow authenticated users to manage comments, avatars, or other file-related content that is rendered back in the UI. Security teams should also care if any internal workflows trust user-supplied file metadata or preview content.

Technical summary

The vulnerable area is the file types table in b2evolution. NVD describes the flaw as multiple XSS vulnerabilities that allow an authenticated remote attacker to inject script or HTML via a .swf file used in a comment frame or avatar frame. The CVSS vector in the NVD record is CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, and the weakness is classified as CWE-79.

Defensive priority

Medium. This is an authenticated XSS issue with user interaction required, but it can still lead to session theft, unauthorized actions, or content tampering in affected administrative or user-facing interfaces.

Recommended defensive actions

Upgrade b2evolution to a version newer than 6.8.3 if you are affected.
Review and restrict authenticated upload and rendering paths for comment and avatar content, especially any handling of .swf-related file types or file-type tables.
Verify the linked patch commit and associated issue for the upstream fix behavior before deploying any backported remediation.
Audit templates and administrative pages that display file-type metadata to ensure untrusted content is properly encoded before rendering.
If immediate upgrading is not possible, limit who can create or modify comment/avatar content and monitor for unexpected script-bearing input in those workflows.

Evidence notes

All substantive findings in this debrief are taken from the supplied NVD record and its linked references. The NVD metadata identifies the vulnerability as multiple XSS issues in b2evolution through 6.8.3, with CWE-79 and CVSS 3.0 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. Linked references include a SecurityFocus BID entry, a b2evolution GitHub issue, and a b2evolution GitHub commit that is marked as a patch reference.

Official resources

CVE-2017-5494 CVE record
CVE.org
CVE-2017-5494 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Mitigation or vendor reference
[email protected] - Issue Tracking, Patch, Third Party Advisory
Mitigation or vendor reference
[email protected] - Issue Tracking, Patch, Third Party Advisory

Publicly published in the CVE/NVD record on 2017-01-15; the supplied NVD record was last modified on 2026-05-13.