PatchSiren

PatchSiren cyber security CVE debrief

CVE-2017-6490 Epesi CVE debrief

CVE-2017-6490 is a publicly disclosed web cross-site scripting issue in EPESI 1.8.1.1, published on 2017-03-05. The affected RecordBrowser endpoint in modules/Utils/RecordBrowser/grid.php fails to sufficiently filter several user-controlled parameters, which can let an attacker inject HTML or script into the victim’s browser session in the context of the vulnerable site. NVD classifies the weakness as CWE-79 and rates it Medium severity.

Vendor
Epesi
Product
CVE-2017-6490
CVSS
MEDIUM 6.1
CISA KEV
Not listed in stored evidence
Original CVE published
2017-03-05
Original CVE updated
2026-05-13
Advisory published
2017-03-05
Advisory updated
2026-05-13

Who should care

Administrators and developers running EPESI 1.8.1.1 should care most, especially if the RecordBrowser module is reachable by untrusted users or exposed over the web. Security teams responsible for browser-based application defenses, session protection, and input/output validation reviews should treat this as a standard reflected XSS remediation item.

Technical summary

The supplied records describe multiple XSS conditions in EPESI 1.8.1.1 caused by insufficient filtration of user-supplied values passed to /modules/Utils/RecordBrowser/grid.php. The parameters called out in the CVE description are cid, value, element, mode, tab, form_name, and id. NVD maps the issue to CWE-79 and a CVSS 3.1 vector of AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating a network-reachable issue that requires user interaction and can impact confidentiality and integrity in the browser context.

Defensive priority

Medium priority. This is a classic reflected XSS issue with user interaction required, but it can still enable session abuse, content manipulation, and trust-boundary bypasses in affected deployments.

Recommended defensive actions

  • Confirm whether EPESI 1.8.1.1 is deployed anywhere in your environment, including internal or legacy instances.
  • Apply the vendor-recommended fix or upgrade path referenced by the project issue tracker if available in your deployment process.
  • Review all server-side handling of the RecordBrowser grid.php endpoint for input validation and output encoding of the listed parameters.
  • Temporarily restrict access to the affected endpoint if remediation cannot be applied immediately.
  • Add regression checks for reflected XSS patterns in the affected module and related request handlers.
  • Audit other EPESI modules for similar input handling and encoding weaknesses so the same flaw is not repeated elsewhere.

Evidence notes

This debrief is based only on the supplied CVE record, NVD metadata, and the linked reference URLs in the corpus. The description identifies insufficient filtration of user-supplied parameters to grid.php as the cause, NVD identifies CWE-79, and the CVSS vector indicates a network-reachable, user-interaction-dependent browser-context impact. The supplied corpus does not include exploit payloads or a full vendor remediation advisory.

Official resources

Publicly disclosed in the CVE record on 2017-03-05. The NVD entry in the supplied corpus was later modified on 2026-05-13; that later date is not the vulnerability’s original disclosure date.