PatchSiren cyber security CVE debrief
CVE-2017-5517 Metalgenix CVE debrief
CVE-2017-5517 is a critical SQL injection flaw in GeniXCMS’s author.control.php. According to the NVD record, a remote attacker can abuse the type parameter to execute arbitrary SQL commands, with no authentication or user interaction required.
- Vendor
- Metalgenix
- Product
- CVE-2017-5517
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-01-17
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-01-17
- Advisory updated
- 2026-05-13
Who should care
Administrators and operators running GeniXCMS through 0.0.8, especially any internet-facing installation, should treat this as urgent. Security teams responsible for web application patching, exposure review, and database hardening should prioritize it.
Technical summary
The vulnerability is classified as CWE-89 (SQL Injection). NVD lists the affected CPE as metalgenix:genixcms with versions through 0.0.8, and assigns CVSS 3.0 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (9.8 CRITICAL). The issue is referenced in the public issue tracker and third-party advisories, which supports that the weakness was known in the project ecosystem.
Defensive priority
Critical. The combination of network reachability, no privileges required, and full confidentiality/integrity/availability impact makes this a high-priority patching and exposure-response item.
Recommended defensive actions
- Upgrade or replace any GeniXCMS deployment affected through version 0.0.8.
- If immediate upgrading is not possible, restrict external access to the application and place it behind strong network controls.
- Review application and database logs for unexpected SQL errors, unusual author/admin activity, or suspicious requests targeting author.control.php and the type parameter.
- Verify all instances, forks, and bundled deployments of GeniXCMS in your environment so no exposed copy is missed.
- Apply least-privilege database credentials and review whether the application has unnecessary database permissions.
- Track remediation against the official CVE and NVD records and confirm the vulnerable version is no longer deployed.
Evidence notes
This debrief is based on the supplied NVD CVE metadata, which states the issue is a SQL injection in author.control.php reachable via the type parameter and vulnerable through GeniXCMS 0.0.8. The NVD record also provides the CWE-89 classification, the 9.8 CVSS 3.0 vector, and the affected CPE range. The supplied references include the official CVE record, the NVD detail page, a SecurityFocus BID entry, and a GitHub issue reference marked as issue tracking/patch/advisory support. CVE published date used here is 2017-01-17; the supplied modified date is 2026-05-13.
Official resources
-
CVE-2017-5517 CVE record
CVE.org
-
CVE-2017-5517 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
-
Mitigation or vendor reference
[email protected] - Exploit, Issue Tracking, Patch, Third Party Advisory
Publicly disclosed in the CVE record on 2017-01-17 and later modified in NVD on 2026-05-13. No CISA KEV entry was supplied for this CVE.