PatchSiren

PatchSiren cyber security CVE debrief

CVE-2017-5516 Metalgenix CVE debrief

CVE-2017-5516 is a medium-severity cross-site scripting issue affecting GeniXCMS through version 0.0.8. The vulnerability is described as multiple XSS flaws in user forms that allow an attacker to inject arbitrary web script or HTML via crafted parameters. Because the attack requires user interaction but no privileges, it is especially important for any internet-facing deployment that accepts form input from untrusted users.

Vendor
Metalgenix
Product
CVE-2017-5516
CVSS
MEDIUM 6.1
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-17
Original CVE updated
2026-05-13
Advisory published
2017-01-17
Advisory updated
2026-05-13

Who should care

Administrators and developers running GeniXCMS through 0.0.8, especially sites with public-facing forms, profile fields, comments, or other user-submission workflows. Security teams responsible for web application hardening and content moderation should also treat this as relevant.

Technical summary

NVD classifies the issue as CWE-79 with CVSS 3.0 vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating a network-reachable flaw that does not require privileges but does require a victim to interact with the affected page. The supplied description states that multiple user-form parameters can be used to inject arbitrary script or HTML. The referenced GitHub issue is tagged as an issue-tracking and patch reference, which suggests remediation was discussed in the project tracker.

Defensive priority

Medium priority. The vulnerability is easy to reach over the network and can affect confidentiality and integrity in a victim browser, but exploitation depends on user interaction. Patch or mitigate promptly if GeniXCMS is deployed.

Recommended defensive actions

  • Inventory all GeniXCMS installations and confirm whether any instance is running version 0.0.8 or earlier.
  • Upgrade to a fixed release or apply the remediation referenced in the project issue tracker if an upgrade is not immediately possible.
  • Audit all user-form handling for output encoding, context-appropriate escaping, and server-side input validation.
  • Add defense-in-depth controls such as a restrictive Content Security Policy where compatible.
  • Review exposed forms and recent logs for suspicious HTML or script-bearing input, and test that normal user content is safely rendered after remediation.

Evidence notes

The supplied NVD record published on 2017-01-17 and modified on 2026-05-13 identifies CVE-2017-5516 as a GeniXCMS issue affecting versions through 0.0.8, with CWE-79 and CVSS 3.0 6.1. MITRE-cited references in the corpus include SecurityFocus BID 95622 and GitHub issue #65; the GitHub reference is explicitly tagged as issue tracking and patch. No KEV entry or ransomware campaign flag is present in the supplied enrichment.

Official resources

Publicly disclosed in the CVE record on 2017-01-17. The vulnerability is described as multiple XSS issues in GeniXCMS user forms through 0.0.8, with later NVD metadata updates reflected on 2026-05-13.