PatchSiren cyber security CVE debrief
CVE-2017-5960 Phalconeye Project CVE debrief
CVE-2017-5960 describes a cross-site scripting issue in Phalcon Eye through version 0.4.1. The problem stems from insufficient filtering of user-supplied data in multiple HTTP GET parameters passed to the affected frame.php endpoint, allowing script or HTML injection in the context of the vulnerable website.
- Vendor
- Phalconeye Project
- Product
- CVE-2017-5960
- CVSS
- MEDIUM 6.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-02-12
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-02-12
- Advisory updated
- 2026-05-13
Who should care
Administrators and developers running Phalcon Eye deployments through 0.4.1, especially if the affected frame.php path is reachable from untrusted users. Security teams should treat this as a browser-side injection risk that can impact users who visit maliciously crafted links.
Technical summary
NVD classifies the issue as CWE-79 with CVSS 3.0 vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The vulnerable component is phalconeye-master/public/external/pydio/plugins/editor.webodf/frame.php, where multiple HTTP GET parameters are not sufficiently sanitized before being reflected into the page. The result is an XSS condition that can execute arbitrary HTML and script code in the victim’s browser within the site’s origin.
Defensive priority
Medium. The vulnerability requires user interaction but is network-reachable and can affect confidentiality and integrity within the web application context.
Recommended defensive actions
- Review whether your deployment includes Phalcon Eye version 0.4.1 or earlier affected builds and restrict access to the exposed frame.php route.
- Apply the vendor remediation referenced in the linked GitHub issue if available; otherwise remove or disable the affected component until fixed.
- Add server-side input validation and context-aware output encoding for all GET parameters used by the endpoint.
- Inspect any custom templates or integrations around editor.webodf/frame.php for unsafe reflection of request data.
- Use a web application firewall or reverse proxy rules as a temporary compensating control, but do not rely on it as the primary fix.
Evidence notes
Based on the supplied NVD record and referenced advisory links: the vulnerability affects Phalcon Eye through 0.4.1, involves insufficient filtration of GET parameters in frame.php, and is classified by NVD as CWE-79 with the listed CVSS vector. The GitHub issue reference is the only provided source suggesting vendor discussion and a patch path; the corpus does not confirm a specific fixed release.
Official resources
-
CVE-2017-5960 CVE record
CVE.org
-
CVE-2017-5960 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
-
Mitigation or vendor reference
[email protected] - Exploit, Patch, Vendor Advisory
Publicly disclosed on 2017-02-12 per the CVE and NVD records; the NVD entry was last modified on 2026-05-13.