PatchSiren cyber security CVE debrief
CVE-2017-5990 Phreesoft CVE debrief
CVE-2017-5990 is a cross-site scripting flaw in PhreeBooksERP affecting the UPS and YRC label manager js_include.php endpoints. The issue comes from insufficient filtering of user-supplied data in the form GET parameter, allowing script execution in a victim’s browser in the context of the vulnerable site.
- Vendor
- Phreesoft
- Product
- CVE-2017-5990
- CVSS
- MEDIUM 6.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-02-15
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-02-15
- Advisory updated
- 2026-05-13
Who should care
Administrators and developers running affected PhreeBooksERP builds, especially any deployment that includes the UPS or YRC shipping label manager code paths. Security teams should also verify whether their installed package matches the affected branch, since the advisory notes these files are not present in the SourceForge stable release (R37RC1).
Technical summary
NVD maps the weakness to CWE-79 and gives a network-reachable, user-interaction-required CVSS 3.0 vector of AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (6.1 medium). The vulnerable behavior is described as inadequate filtration of the form parameter in PhreeBooksERP-master/extensions/ShippingMethods/ups/label_mgr/js_include.php and .../yrc/label_mgr/js_include.php. A related GitHub issue and commit are referenced as the patch path.
Defensive priority
Medium. This is a browser-side injection issue with confidentiality and integrity impact, but it requires a user to interact with a crafted request or page. Prioritize if the affected endpoints are reachable in production or if the application is exposed to untrusted users.
Recommended defensive actions
- Confirm whether your deployed PhreeBooksERP build includes the affected UPS/YRC js_include.php files; the advisory says they are absent from the SourceForge stable release (R37RC1).
- Apply the vendor fix referenced by the linked GitHub commit and related issue if you maintain an affected branch.
- Review the affected endpoints for server-side input validation and output encoding of the form parameter.
- Test the application for cross-site scripting regressions after patching, especially around shipping label manager flows.
- Restrict exposure of admin or shipping-management functionality where practical and enforce browser-side protections such as a strong Content Security Policy.
Evidence notes
Source evidence points to NVD’s CVE record, which classifies the issue as CWE-79 and provides the CVSS vector. The cited references include a SecurityFocus BID entry, a GitHub patch commit, and a GitHub issue marked as exploit/patch/vendor advisory. The CVE description explicitly notes that the affected js_include.php files do not exist in the SourceForge stable release (R37RC1), so applicability depends on the deployed branch or build.
Official resources
-
CVE-2017-5990 CVE record
CVE.org
-
CVE-2017-5990 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
-
Mitigation or vendor reference
[email protected] - Patch
-
Mitigation or vendor reference
[email protected] - Exploit, Patch, Vendor Advisory
Publicly disclosed on 2017-02-15 per the CVE record. The NVD entry was last modified on 2026-05-13; no KEV listing is indicated in the supplied data.