PatchSiren

PatchSiren cyber security CVE debrief

CVE-2017-5959 Metalgenix CVE debrief

CVE-2017-5959 is a critical web application flaw in GeniXCMS versions through 1.0.1. The issue is a CSRF token bypass that can enable privilege escalation, and the supplied description notes that the forgotpassword.php page can be used to acquire a token. NVD rates the issue as CVSS 9.8 with network attack characteristics and no privileges or user interaction required.

Vendor
Metalgenix
Product
Genixcms
CVSS
CRITICAL 9.8
CISA KEV
Not listed in stored evidence
Original CVE published
2017-02-21
Original CVE updated
2026-05-13
Advisory published
2017-02-21
Advisory updated
2026-05-13

Who should care

Administrators and developers running GeniXCMS 1.0.1 or earlier, especially if the application is internet-facing. Security teams should prioritize any exposed password reset or account-management workflows that rely on CSRF protections.

Technical summary

The official NVD record maps CVE-2017-5959 to CWE-352 (Cross-Site Request Forgery) and lists affected versions through 1.0.1. The vulnerability description states that CSRF token validation can be bypassed and that forgotpassword.php can be used to obtain a token, which undermines request integrity and may allow privilege escalation. The referenced fix is associated with GeniXCMS v1.0.2.

Defensive priority

Immediate. NVD assigns CVSS 3.0 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), so exposed deployments should be patched as soon as possible.

Recommended defensive actions

  • Upgrade GeniXCMS to version 1.0.2 or later.
  • Treat all installations running 1.0.1 or earlier as vulnerable until confirmed otherwise.
  • Review password-reset and account-management flows to ensure CSRF tokens are generated, validated, and not reusable across unrelated requests.
  • If patching is delayed, restrict external access to the application and monitor for suspicious account or privilege changes.
  • After remediation, review affected accounts and sessions for unauthorized changes and rotate credentials where appropriate.

Evidence notes

The supplied NVD record published on 2017-02-21 states that versions through 1.0.1 are vulnerable and associates the issue with CWE-352. It also lists the CVSS 3.0 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. References include GitHub issue #70 and the GeniXCMS v1.0.2 release, which support the fix boundary. The source record was modified in 2026, but the CVE issue date remains 2017-02-21.

Official resources

Published by NVD/CVE on 2017-02-21T07:59:00.360Z. The supplied record was modified on 2026-05-13T00:24:29.033Z. No KEV listing is present in the supplied data.