PatchSiren cyber security CVE debrief
CVE-2017-6395 Hashover Project CVE debrief
CVE-2017-6395 is a cross-site scripting flaw in HashOver 2.0 caused by insufficient filtration of user-supplied data passed to hashover/scripts/widget-output.php. An attacker can cause a victim’s browser to execute arbitrary HTML and script in the context of the vulnerable website.
- Vendor
- Hashover Project
- Product
- CVE-2017-6395
- CVSS
- MEDIUM 6.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-03-02
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-03-02
- Advisory updated
- 2026-05-13
Who should care
Organizations running HashOver 2.0, especially if hashover/scripts/widget-output.php is reachable from the web, should treat this as relevant. Web application security teams and site operators that embed HashOver comments or widgets should also review exposure.
Technical summary
The NVD record maps this issue to CWE-79 and describes insufficient output filtration in hashover/scripts/widget-output.php. The supplied CVSS vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) indicates a network-reachable attack that does not require privileges, but does require a victim to interact with crafted content. Successful exploitation can run attacker-controlled HTML/JavaScript in the site origin.
Defensive priority
Medium priority. The issue is remotely reachable and requires no privileges, but exploitation depends on user interaction and the reported impact is limited to confidentiality and integrity under the site context.
Recommended defensive actions
- Inventory any HashOver 2.0 deployments and confirm whether hashover/scripts/widget-output.php is exposed to the web.
- Apply the vendor/community fix referenced in the linked HashOver issue, or retire/replace the affected version if no fix is available in your deployment path.
- Verify that all user-controlled data rendered by the widget-output path is contextually escaped and never emitted as raw HTML or script.
- Add or tighten a restrictive Content Security Policy to reduce the impact of any residual XSS.
- Review logs and application telemetry for suspicious requests targeting widget-output.php and other comment/widget endpoints.
Evidence notes
This debrief is based on the supplied NVD record and the CVE description. The record explicitly identifies HashOver 2.0 as vulnerable, cites CWE-79, and provides a CVSS 3.0 vector consistent with browser-triggered XSS. The supplied references include a SecurityFocus BID entry and a GitHub issue marked as issue tracking/patch/third-party advisory. The CVE was published on 2017-03-02 and later modified on 2026-05-13; that modified timestamp is not the issue date.
Official resources
-
CVE-2017-6395 CVE record
CVE.org
-
CVE-2017-6395 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
-
Mitigation or vendor reference
[email protected] - Issue Tracking, Patch, Third Party Advisory
Publicly disclosed in the CVE record on 2017-03-02; the record was later modified on 2026-05-13. No KEV entry was supplied for this CVE.