PatchSiren cyber security CVE debrief

CVE-2017-6397 Flightairmap CVE debrief

CVE-2017-6397 is a medium-severity cross-site scripting vulnerability in FlightAirMap v1.0-beta.10. The affected application pages do not sufficiently filter multiple user-supplied parameters, allowing an attacker to inject HTML or script that runs in a victim’s browser in the context of the vulnerable website.

Vendor: Flightairmap
Product: CVE-2017-6397
CVSS: MEDIUM 6.1
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-03-02
Original CVE updated: 2026-05-13
Advisory published: 2017-03-02
Advisory updated: 2026-05-13

Who should care

Administrators and developers running FlightAirMap v1.0-beta.10 should treat this as relevant, especially if any of the affected *-sub-menu.php pages are reachable by users or receive untrusted input. Security teams should also check whether any older deployments still expose this beta release.

Technical summary

NVD classifies the issue as CWE-79 and assigns CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (6.1). The vulnerability is described as insufficient filtration of user-supplied data in multiple parameters passed to several *-sub-menu.php pages, which can let attacker-controlled HTML or JavaScript execute in the browser under the site’s origin.

Defensive priority

Medium. The impact is limited by the need for user interaction, but successful XSS can still expose data, alter page behavior, and enable impersonation or other in-browser abuse in the affected web app.

Recommended defensive actions

Upgrade or replace FlightAirMap v1.0-beta.10 with a version that contains the vendor fix referenced in the project issue tracker.
Review every affected *-sub-menu.php page and ensure user-controlled parameters are validated server-side and output-encoded before rendering.
Apply context-appropriate output escaping for HTML, attributes, and JavaScript contexts; do not rely on client-side filtering alone.
Add or tighten a Content Security Policy and other browser-side hardening controls to reduce the impact of any missed injection points.
Re-test the affected pages after remediation to confirm that crafted parameters are rendered inert and no script execution occurs.

Evidence notes

The supplied NVD record and CVE description both identify a browser-side script injection issue in FlightAirMap v1.0-beta.10 caused by insufficient filtering in several *-sub-menu.php pages. The record lists CWE-79 and the CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The CVE was originally published on 2017-03-02 and the NVD record was modified on 2026-05-13. References include a SecurityFocus BID entry and a GitHub issue that is tagged as an exploit/patch/third-party advisory reference in the source corpus.

Official resources

CVE-2017-6397 CVE record
CVE.org
CVE-2017-6397 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Mitigation or vendor reference
[email protected] - Exploit, Patch, Third Party Advisory

Public CVE disclosure date in the supplied record is 2017-03-02. The NVD entry was later modified on 2026-05-13. No KEV entry was provided in the supplied enrichment.