PatchSiren cyber security CVE debrief

CVE-2017-5515 Metalgenix CVE debrief

CVE-2017-5515 is a medium-severity cross-site scripting issue affecting GeniXCMS through version 0.0.8. According to the published description and NVD metadata, a remote authenticated user can inject arbitrary web script or HTML through tag names in the user prompt function. The CVSS 3.0 vector (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) indicates network reachability, low attack complexity, low privileges, and a user-interaction requirement, with limited confidentiality and integrity impact in the browser context.

Vendor: Metalgenix
Product: CVE-2017-5515
CVSS: MEDIUM 5.4
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-17
Original CVE updated: 2026-05-13
Advisory published: 2017-01-17
Advisory updated: 2026-05-13

Who should care

Administrators and developers running GeniXCMS through 0.0.8, especially deployments that allow untrusted authenticated users to create or edit tag-related content. Security teams should also review any workflow where tag names are rendered back into pages viewed by privileged users.

Technical summary

The weakness is mapped to CWE-79 (XSS). The corpus indicates the vulnerable behavior is in the user prompt function and is triggered via tag names. In practical defensive terms, this points to insufficient output encoding and/or input validation on user-controlled tag content before it is rendered in HTML. Because the CVSS scope is changed (S:C) and user interaction is required, the likely risk is browser-side script execution affecting the privileges and session context of whoever loads the affected page.

Defensive priority

Medium priority. The score is moderate, but the requirement for an authenticated attacker and a victim to interact with the page means exposure is highest in multi-user or admin-facing installations. Prioritize if GeniXCMS is externally reachable or used to manage content viewed by higher-privileged users.

Recommended defensive actions

Upgrade GeniXCMS to a version newer than 0.0.8 that includes the vendor fix, if available.
Validate and encode tag names before rendering them into HTML; do not trust user-controlled content even when the source is authenticated.
Review the affected user prompt and tag-handling code paths for any other XSS sinks or insufficient escaping.
Restrict which authenticated roles can create or modify tag names until remediation is confirmed.
Re-test the application after patching to confirm tag-related pages no longer render executable script or HTML from user input.

Evidence notes

This debrief is based on the CVE description, NVD metadata, and the linked references in the official record. The published metadata states: affected versions through 0.0.8, CWE-79, and CVSS v3.0 vector AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The corpus does not include the full text of the GitHub issue or SecurityFocus entry, so remediation details are limited to the evidence explicitly provided in the source item.

Official resources

CVE-2017-5515 CVE record
CVE.org
CVE-2017-5515 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Mitigation or vendor reference
[email protected] - Exploit, Issue Tracking, Patch, Third Party Advisory

The CVE record was published on 2017-01-17. The 2026-05-13 modified timestamp reflects later metadata update activity in the official record, not a new disclosure date.