PatchSiren cyber security CVE debrief

CVE-2017-6487 Epesi CVE debrief

CVE-2017-6487 is a 2017 cross-site scripting issue in EPESI 1.8.1.1. According to the CVE record and NVD data, user-supplied parameters passed to the RecordBrowser favorites.php endpoint were not sufficiently filtered, allowing script injection in the browser context of the affected site.

Vendor: Epesi
Product: CVE-2017-6487
CVSS: MEDIUM 6.1
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-03-05
Original CVE updated: 2026-05-13
Advisory published: 2017-03-05
Advisory updated: 2026-05-13

Who should care

Administrators and maintainers running EPESI 1.8.1.1, especially any deployment exposing the RecordBrowser favorites.php endpoint to authenticated or unauthenticated users.

Technical summary

NVD maps this issue to CWE-79 and identifies the affected product as epesi:epesi 1.8.1.1. The vulnerable behavior involves multiple XSS conditions tied to user-controlled values including state, element, id, tab, and cid being processed by EPESI-master/modules/Utils/RecordBrowser/favorites.php. The CVSS v3.1 vector is AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating network reachability with user interaction required and potential impact on confidentiality and integrity.

Defensive priority

Medium. The issue is publicly documented and involves browser-side script execution, but the available record does not indicate KEV inclusion or known ransomware use.

Recommended defensive actions

Upgrade or patch EPESI to a version that addresses the favorites.php input handling weakness.
Review any customizations or extensions that pass user-controlled values into RecordBrowser favorites.php and apply server-side validation and output encoding.
Use contextual output encoding and input validation for the affected parameters: state, element, id, tab, and cid.
Limit exposure of the affected endpoint to trusted users where practical and monitor for anomalous requests.
Verify remediation by testing that the affected parameters are safely handled after applying the vendor fix.

Evidence notes

The CVE description states that multiple XSS issues exist in EPESI 1.8.1.1 due to insufficient filtration of user-supplied data passed to EPESI-master/modules/Utils/RecordBrowser/favorites.php. NVD classifies the weakness as CWE-79 and lists the vulnerable CPE as epesi:epesi:1.8.1.1. The CVE references include a SecurityFocus BID entry and a GitHub issue tagged as exploit/patch, which supports that a public advisory and remediation discussion exist. Published date used here is 2017-03-05T20:59:00.497Z.

Official resources

CVE-2017-6487 CVE record
CVE.org
CVE-2017-6487 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Mitigation or vendor reference
[email protected] - Exploit, Patch

Publicly disclosed on 2017-03-05T20:59:00.497Z. No KEV date is listed in the supplied record.