CVE-2017-6446 Dotclear CVE debrief

Who should care

Dotclear administrators, maintainers, and teams operating version 2.11.2 or any deployment that exposes the affected admin pages to authenticated users.

Technical summary

The NVD record identifies Dotclear 2.11.2 as vulnerable and classifies the weakness as CWE-79 (XSS). The published CVSS vector is CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating network reachability, low attack complexity, and user interaction. The supplied references include a vendor patch changeset, which is the strongest remediation signal in the corpus.

Defensive priority

Medium. Patch or upgrade promptly if you run Dotclear 2.11.2, because the affected issue sits in admin-facing request handling and can impact confidentiality and integrity after user interaction.

Recommended defensive actions

• Apply the Dotclear vendor patch referenced in the changeset link or upgrade to a version that includes the fix.
• Review server-side handling of the sortby and order parameters in admin/blogs.php and admin/users.php and ensure untrusted input is properly encoded or validated.
• Limit access to the admin interface to trusted users and networks where feasible.
• Monitor affected admin endpoints for unusual request patterns or evidence of injected content.
• If you use compensating controls such as a web application firewall, add coverage for the affected admin routes while you deploy the vendor fix.

Evidence notes

The corpus contains an NVD CVE record for CVE-2017-6446, a SecurityFocus reference, and a Dotclear changeset marked as a patch. NVD states the affected CPE is dotclear 2.11.2 and assigns CWE-79. The supplied material does not include the fixed version number or a detailed vendor advisory text.

Official resources