CVE-2017-5959 Metalgenix CVE debrief

Who should care

Administrators and developers running GeniXCMS 1.0.1 or earlier, especially if the application is internet-facing. Security teams should prioritize any exposed password reset or account-management workflows that rely on CSRF protections.

Technical summary

The official NVD record maps CVE-2017-5959 to CWE-352 (Cross-Site Request Forgery) and lists affected versions through 1.0.1. The vulnerability description states that CSRF token validation can be bypassed and that forgotpassword.php can be used to obtain a token, which undermines request integrity and may allow privilege escalation. The referenced fix is associated with GeniXCMS v1.0.2.

Defensive priority

Immediate. NVD assigns CVSS 3.0 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), so exposed deployments should be patched as soon as possible.

Recommended defensive actions

• Upgrade GeniXCMS to version 1.0.2 or later.
• Treat all installations running 1.0.1 or earlier as vulnerable until confirmed otherwise.
• Review password-reset and account-management flows to ensure CSRF tokens are generated, validated, and not reusable across unrelated requests.
• If patching is delayed, restrict external access to the application and monitor for suspicious account or privilege changes.
• After remediation, review affected accounts and sessions for unauthorized changes and rotate credentials where appropriate.

Evidence notes

The supplied NVD record published on 2017-02-21 states that versions through 1.0.1 are vulnerable and associates the issue with CWE-352. It also lists the CVSS 3.0 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. References include GitHub issue #70 and the GeniXCMS v1.0.2 release, which support the fix boundary. The source record was modified in 2026, but the CVE issue date remains 2017-02-21.

Official resources