PatchSiren cyber security CVE debrief
CVE-2017-6486 Reasoncms CVE debrief
CVE-2017-6486 is a cross-site scripting (XSS) vulnerability in reasoncms versions before 4.7.1. The issue is tied to insufficient filtering of user-supplied input passed to the nyroModalSel parameter on the /reasoncms-master/www/nyroModal/demoSent.php URL. Because the flaw can execute attacker-controlled HTML and JavaScript in a browser under the vulnerable site’s context, it is a client-side integrity and session risk for users who load a maliciously crafted link or page. The CVE was published on 2017-03-05; later record updates do not change that original disclosure timing.
- Vendor
- Reasoncms
- Product
- CVE-2017-6486
- CVSS
- MEDIUM 6.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-03-05
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-03-05
- Advisory updated
- 2026-05-13
Who should care
Administrators and maintainers running reasoncms deployments at version 4.7 or earlier, especially anyone exposing the nyroModal demoSent.php path to users. Security teams should also care if the application is used in environments where browser session integrity, CSRF protections, or admin-user trust are important.
Technical summary
NVD classifies the weakness as CWE-79 (Cross-Site Scripting) and assigns CVSS 3.0 vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating network reachability, low attack complexity, no privileges required, but user interaction is required. The vulnerable input is the nyroModalSel parameter passed to demoSent.php, where inadequate sanitization allows injected script or HTML to run in the context of the site. NVD lists affected versions through 4.7, with 4.7.1 referenced as the fixed release.
Defensive priority
Medium. The issue requires user interaction, but successful exploitation can expose user data, manipulate page content, or enable session-targeted attacks in the context of the application.
Recommended defensive actions
- Upgrade reasoncms to version 4.7.1 or later.
- Verify whether any public or user-reachable paths still expose /reasoncms-master/www/nyroModal/demoSent.php.
- Review application input handling for nyroModalSel and similar request parameters for proper output encoding and sanitization.
- Add server-side defenses such as contextual output encoding and validation for any dynamic HTML generation.
- If exposure is suspected, review logs and application behavior for suspicious links or requests targeting demoSent.php.
- Treat browser-based admin and editor sessions as at-risk until patched, and consider session hygiene checks after remediation.
Evidence notes
The CVE description states that the flaw is a cross-site scripting issue in reasoncms before 4.7.1 caused by insufficient filtration of user-supplied data (nyroModalSel) passed to reasoncms-master/www/nyroModal/demoSent.php. NVD marks the vulnerability as CWE-79 and provides the CVSS 3.0 vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The linked GitHub issue and v4.7.1 release notes serve as the vendor-adjacent references for mitigation and fixed-release context. The publishedAt timestamp (2017-03-05T20:59:00.463Z) is the disclosure date used here; the 2026 modified timestamp reflects later record maintenance, not the original issue date.
Official resources
-
CVE-2017-6486 CVE record
CVE.org
-
CVE-2017-6486 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Exploit, Patch, Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Release Notes, Vendor Advisory
Publicly disclosed on 2017-03-05. The NVD record was later modified on 2026-05-13, but that update does not alter the original disclosure date.