PatchSiren cyber security CVE debrief

CVE-2017-5962 Netresearch CVE debrief

CVE-2017-5962 is a cross-site scripting issue in contexts_wurfl for TYPO3. User-supplied data in the force_ua HTTP GET parameter on the /contexts_wurfl/Library/wurfl-dbapi-1.4.4.0/check_wurfl.php endpoint was not filtered sufficiently, allowing HTML and script execution in the browser context of the vulnerable site.

Vendor: Netresearch
Product: CVE-2017-5962
CVSS: MEDIUM 6.1
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-12
Original CVE updated: 2026-05-13
Advisory published: 2017-02-12
Advisory updated: 2026-05-13

Who should care

Administrators and developers running TYPO3 sites that include contexts_wurfl, especially installations exposing check_wurfl.php to users or the internet. Security teams should review any deployment still using versions before 0.4.2 and confirm the endpoint is not reachable with unsanitized input.

Technical summary

The CVE description states that contexts_wurfl before 0.4.2 accepted unfiltered user input in the force_ua GET parameter passed to check_wurfl.php. NVD classifies the weakness as CWE-79 and rates it CVSS 3.0 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating network reachability, no attacker privileges, required user interaction, and impact confined to the victim's browser/session context.

Defensive priority

Medium. Prioritize remediation for any internet-facing TYPO3 deployment using contexts_wurfl, because the issue is remotely reachable and can execute script in a user's browser if they follow a crafted link or otherwise trigger the vulnerable request.

Recommended defensive actions

Upgrade contexts_wurfl to a fixed release at or after 0.4.2.
Verify whether /contexts_wurfl/Library/wurfl-dbapi-1.4.4.0/check_wurfl.php is exposed publicly; restrict or remove access if it is not required.
Audit server-side handling of the force_ua parameter and ensure all reflected output is properly encoded or removed.
Add or review input validation and output encoding controls for any TYPO3 extension code that processes user-controlled HTTP parameters.
Check logs and application behavior for requests targeting check_wurfl.php with unexpected force_ua values.
If immediate upgrading is not possible, reduce exposure by placing the affected component behind access controls or disabling the feature where feasible.

Evidence notes

The source corpus consistently identifies a user-controlled force_ua GET parameter passed to /contexts_wurfl/Library/wurfl-dbapi-1.4.4.0/check_wurfl.php as the injection point. The CVE description says this can execute arbitrary HTML and script code in a browser in the context of the vulnerable website. NVD maps the issue to CWE-79 and lists vulnerable CPEs for contexts_wurfl versions 0.2.0 alpha through 0.4.1 alpha, while the description says the issue is present before 0.4.2. The CVE was published on 2017-02-12 and last modified on 2026-05-13.

Official resources

CVE-2017-5962 CVE record
CVE.org
CVE-2017-5962 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Mitigation or vendor reference
[email protected] - Patch, Third Party Advisory

CVE published: 2017-02-12T04:59:00.237Z. Last modified: 2026-05-13T00:24:29.033Z. NVD lists the vulnerable range for contexts_wurfl through 0.4.1 alpha, while the CVE description states the issue exists before 0.4.2.