PatchSiren cyber security CVE debrief
CVE-2017-6484 Inter Mediator CVE debrief
CVE-2017-6484 describes multiple cross-site scripting (XSS) issues in INTER-Mediator 5.5. The problem is in the PasswordReset/resetpassword.php flow, where insufficient filtration of the user-supplied c and cred parameters can let an attacker inject HTML or script that runs in a victim browser in the context of the vulnerable website.
- Vendor
- Inter Mediator
- Product
- CVE-2017-6484
- CVSS
- MEDIUM 6.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-03-05
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-03-05
- Advisory updated
- 2026-05-13
Who should care
Teams running INTER-Mediator 5.5, especially if the PasswordReset/resetpassword.php endpoint is reachable by untrusted users or exposed to the internet. Web application owners, developers maintaining password-reset flows, and defenders responsible for browser-side input handling should prioritize review.
Technical summary
NVD classifies the issue as CWE-79 (cross-site scripting) and assigns CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The vulnerability affects INTER-Mediator 5.5 and is tied to insufficient filtering of the c and cred parameters passed to PasswordReset/resetpassword.php. Because the browser executes attacker-controlled markup or script in the site context, impact includes script execution and potential session- or page-level abuse when a user follows the crafted flow.
Defensive priority
Medium priority. The issue is network-reachable and requires user interaction, but it can still affect victims who open the vulnerable reset-password flow. Prioritize remediation if the endpoint is public-facing or handles untrusted input.
Recommended defensive actions
- Review the vendor guidance referenced in GitHub issue 772 and apply the available fix or mitigation for INTER-Mediator 5.5.
- Restrict or temporarily remove exposure of PasswordReset/resetpassword.php if you cannot patch immediately.
- Validate, sanitize, and contextually encode the c and cred parameters before any output reaches the browser.
- Add server-side input validation to reject unexpected parameter formats and lengths.
- Harden the application with defense-in-depth controls such as a restrictive Content Security Policy where feasible.
- Test the password-reset flow after remediation to confirm the parameters are no longer reflected in executable form.
Evidence notes
This debrief is based only on the supplied official records and references. The source corpus identifies INTER-Mediator 5.5 as vulnerable, the affected path as INTER-Mediator-master/Auth_Support/PasswordReset/resetpassword.php, and the weakness as CWE-79. The NVD entry provides CVSS 3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N and references GitHub issue 772 as an exploit/vendor advisory. CVE publication date is 2017-03-05; the NVD record was last modified on 2026-05-13, which should not be treated as the issue date.
Official resources
-
CVE-2017-6484 CVE record
CVE.org
-
CVE-2017-6484 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Exploit, Vendor Advisory
CVE-2017-6484 was publicly published on 2017-03-05. The supplied source corpus does not include a vendor patch date or fixed release, only the public advisory/reference trail.