CVE-2017-5553 B2evolution CVE debrief

Who should care

b2evolution administrators, site operators, and security teams should care most if they allow authenticated users to create or edit Markdown content. Any deployment running b2evolution 6.8.4 or earlier should treat this as a relevant web application risk.

Technical summary

NVD classifies the issue as CWE-79 (cross-site scripting) with CVSS 3.0 vector CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The vulnerable CPE range ends at 6.8.4, and the advisory references a fix in b2evolution 6.8.5. The flaw is described as allowing injection of arbitrary script or HTML via a javascript: URL in plugins/markdown_plugin/_markdown.plugin.php.

Defensive priority

Medium. The issue requires authenticated access and user interaction, but it can still lead to script execution in the browser and impact account/session security or page integrity.

Recommended defensive actions

• Upgrade b2evolution to version 6.8.5 or later.
• Review whether non-admin users can publish or edit Markdown content, and reduce those permissions where possible.
• Inspect existing content for suspicious javascript: URLs or unexpected embedded HTML in Markdown fields.
• Validate that any input filtering or rendering controls for the Markdown plugin are active after upgrade.
• Use least-privilege access for content editors and monitor for unusual changes in post bodies or templates.

Evidence notes

The vulnerability description and version boundary come from the NVD CVE record and its CPE criteria for b2evolution through 6.8.4. The vendor patch reference points to the 6.8.5 release, and the referenced GitHub commit is identified as a patch source in the CVE record. Published date used here is the CVE publication timestamp of 2017-01-23; later record modification dates do not change the issue date.

Official resources