These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2017-6491 is a medium-severity cross-site scripting issue in EPESI 1.8.1.1. According to the official NVD record, multiple user-controlled parameters passed to the Tooltip req.php endpoint were not filtered sufficiently, allowing an attacker to inject HTML or script that would run in the context of the vulnerable website.
CVE-2017-6490 is a publicly disclosed web cross-site scripting issue in EPESI 1.8.1.1, published on 2017-03-05. The affected RecordBrowser endpoint in modules/Utils/RecordBrowser/grid.php fails to sufficiently filter several user-controlled parameters, which can let an attacker inject HTML or script into the victim’s browser session in the context of the vulnerable site. NVD classifies the weakness as CWE [truncated]
CVE-2017-6489 is a reflected cross-site scripting issue in EPESI 1.8.1.1. According to the NVD record, insufficient filtering of user-supplied parameters passed to EPESI-master/modules/Utils/Watchdog/subscribe.php can let an attacker inject HTML or script that executes in a victim’s browser in the context of the vulnerable site. The published severity is medium (CVSS 6.1), but the impact still matters bec [truncated]
CVE-2017-6488 is a medium-severity cross-site scripting issue in EPESI 1.8.1.1. User-controlled parameters passed to save_filters.php were not filtered adequately, allowing an attacker to inject HTML or script that executes in a victim's browser in the context of the vulnerable site.
CVE-2017-6487 is a 2017 cross-site scripting issue in EPESI 1.8.1.1. According to the CVE record and NVD data, user-supplied parameters passed to the RecordBrowser favorites.php endpoint were not sufficiently filtered, allowing script injection in the browser context of the affected site.