PatchSiren cyber security CVE debrief

CVE-2017-5964 Openenergymonitor CVE debrief

CVE-2017-5964 is a cross-site scripting issue in Emoncms through 9.8.0. The problem is tied to insufficient filtering of user-supplied HTTP GET parameters in the compare.php visualization endpoint, allowing attacker-controlled HTML or script to run in the context of the vulnerable site. NVD rates the issue as medium severity with network reachability, no privileges required, and user interaction required.

Vendor: Openenergymonitor
Product: CVE-2017-5964
CVSS: MEDIUM 6.1
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-12
Original CVE updated: 2026-05-13
Advisory published: 2017-02-12
Advisory updated: 2026-05-13

Who should care

Operators and administrators running Emoncms through 9.8.0, especially installations where the compare.php visualization is reachable by normal users or exposed in a browser-facing workflow. Security teams should also care if the deployment relies on browser session trust, shared dashboards, or user-generated links.

Technical summary

The NVD record classifies this as CWE-79 (XSS) with CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The affected surface is emoncms-master/Modules/vis/visualisations/compare.php, where multiple HTTP GET parameters are insufficiently filtered before being rendered back into the page. Because the flaw executes in the browser context of the vulnerable website, it can affect session-bound actions and page content integrity for users who open a crafted link or otherwise reach the vulnerable endpoint.

Defensive priority

Medium. The vulnerability requires user interaction, but it is network-reachable and can impact both confidentiality and integrity within the browser session context.

Recommended defensive actions

Inventory Emoncms deployments and confirm whether any instance is at or below version 9.8.0.
Upgrade to a fixed Emoncms release if available, or apply the vendor remediation referenced in the linked GitHub issue.
Review compare.php and related visualization handlers for output encoding and strict parameter validation.
Add or tighten browser-side defenses such as a restrictive Content Security Policy where feasible.
Check logs and user-facing links for suspicious compare.php requests containing unexpected parameter values.
Retest the affected endpoint after remediation to confirm that untrusted input is no longer reflected unsafely.

Evidence notes

The vulnerability description and version scope come from the official NVD record for CVE-2017-5964, which lists Emoncms through 9.8.0 and identifies CWE-79. The NVD CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating a browser-mediated XSS issue with network reachability and no privileges required. NVD also links a GitHub issue in the Emoncms repository as a vendor advisory/patch reference, and a SecurityFocus BID entry as a third-party advisory.

Official resources

CVE-2017-5964 CVE record
CVE.org
CVE-2017-5964 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Mitigation or vendor reference
[email protected] - Exploit, Patch, Vendor Advisory

CVE published 2017-02-12; NVD record last modified 2026-05-13. The issue has no KEV listing in the supplied data.