CVE-2017-5574 Metalgenix CVE debrief

Who should care

Administrators and developers running GeniXCMS deployments prior to 1.0.0, especially any instance exposed to the internet or allowing public registration/activation flows. Security teams should also care if they inherit or monitor legacy PHP applications that may still be running affected versions.

Technical summary

NVD classifies the flaw as CWE-89 (SQL Injection) with CVSS 3.0 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The vulnerability is described as affecting register.php in GeniXCMS before 1.0.0, where the activation parameter can be abused by an unauthenticated user to execute arbitrary SQL commands. The NVD CPE mapping identifies vulnerable versions through 0.0.8, while the linked v1.0.0 release is the referenced patch milestone.

Defensive priority

Critical. This is network-reachable, requires no authentication, and is scored for complete CIA impact. Treat as an urgent upgrade-and-verify issue for any exposed or production GeniXCMS installation.

Recommended defensive actions

• Upgrade GeniXCMS to version 1.0.0 or later, using the referenced release as the minimum fixed version.
• Inventory all hosts and containers to confirm whether GeniXCMS is installed and whether any instance is on a vulnerable version.
• Review public-facing registration and activation functionality and reduce exposure where it is not required.
• Check application and database logs for unusual SQL errors, unexpected registration activity, or signs of tampering around the affected endpoint.
• If compromise is suspected, rotate application secrets and review database account privileges and stored data integrity.
• Apply least-privilege database permissions and keep the application and its dependencies patched.

Evidence notes

The debrief is based on the NVD CVE record and the linked mitigation references. The core evidence is the CVE description stating that register.php in GeniXCMS before 1.0.0 allows unauthenticated SQL injection via the activation parameter, the NVD CVSS vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, and the CWE-89 classification. The references to GitHub issue #69 and the v1.0.0 release support the remediation timeline. The source corpus contains a naming inconsistency: the description and references point to GeniXCMS, while the CPE mapping uses metalgenix:genixcms; this debrief preserves both as source evidence.

Official resources