CVE-2017-6390 Soruly CVE debrief

Who should care

Administrators, developers, and users of whatanime.ga deployments should care, especially anyone running versions predating the referenced patch commit. Any service that accepts user-controlled input into index.php is directly in scope for review.

Technical summary

NVD classifies this issue as CWE-79 with CVSS 3.0 vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The vulnerability is tied to inadequate input filtration in whatanime.ga-master/index.php, enabling arbitrary HTML/script execution in the context of the vulnerable website. The supplied record and references indicate remediation in the referenced Git commit.

Defensive priority

Medium

Recommended defensive actions

• Update to a version that includes the referenced patch commit c334dd8499a681587dd4199e90b0aa0eba814c1d or later.
• Review index.php and any related request-handling code for untrusted input that is rendered into HTML without encoding.
• Apply output encoding and server-side validation for all user-controlled fields used in page rendering.
• Add regression tests that verify special characters and markup are safely escaped in the affected flow.
• If you cannot patch immediately, restrict exposure of the affected endpoint and monitor for unexpected script or markup injection attempts.

Evidence notes

The supplied NVD record states that the issue is in whatanime.ga before commit c334dd8499a681587dd4199e90b0aa0eba814c1d and that insufficient filtration of user-supplied data passed to whatanime.ga-master/index.php allows arbitrary HTML and script execution in the browser context of the vulnerable website. NVD also maps the weakness to CWE-79 and provides a CVSS 3.0 vector of AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The reference list includes a SecurityFocus BID entry, a patch commit, and an issue discussion; this debrief does not rely on any unstated contents from those links.

Official resources