VYPR
← All advisories
Moderate severityNVD Advisory· Published Jan 3, 2018· Updated Sep 16, 2024

CVE-2017-1000495

CVE-2017-1000495

Description

Stored XSS in QuickApps CMS 2.0.0 user real name field allows low-privileged users to execute arbitrary JavaScript in admin context.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Stored XSS in QuickApps CMS 2.0.0 user real name field allows low-privileged users to execute arbitrary JavaScript in admin context.

Vulnerability

QuickApps CMS version 2.0.0 is vulnerable to stored cross-site scripting (XSS) in the user's "real name" field [1][4]. The application does not sanitize or escape this field before rendering it in the administrator's user list, allowing any authenticated user to inject arbitrary HTML and JavaScript [4]. The vulnerability exists in the user profile editing functionality.

Exploitation

An attacker with the lowest user privileges can log in, navigate to "My Account", and change their real name to a JavaScript payload (e.g., ``) [4]. When an administrator views the user list in the admin console, the payload executes in the administrator's browser session [4]. No additional user interaction beyond viewing the list is required.

Impact

Successful exploitation allows the attacker to perform actions as the administrator, including creating a denial of service condition or performing unauthorized actions such as modifying site content or user permissions [1][4]. The attack achieves privilege escalation from a low-privileged user to full administrative control via stored XSS.

Mitigation

The fix was implemented in commit 7d648f21bd87af8263dcd6449f0946a2dd31348a, which sanitizes the user's real name field [2]. Users should upgrade to a version that includes this commit or apply the patch manually. No workaround is documented; the vulnerability is fixed in later releases. The CVE is not listed in the KEV catalog.

References
  1. NVD - CVE-2017-1000495
  2. sanitize user's real name (#193) · quickapps/cms@7d648f2
  3. Stored Cross-Site Scripting (XSS)

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
quickapps/cmsPackagist
< 2.0.02.0.0

Affected products

1

Patches

1
7d648f21bd87

sanitize user's real name (#193)

https://github.com/quickapps/cmsChristopher CastroApr 5, 2018via ghsa
commit
1 file changed · +12 0
  • plugins/User/src/Model/Entity/User.php+12 0 modified
    @@ -92,6 +92,18 @@ protected function _getAvatar()
         return $this->avatar();
     }
 
+    /**
+     * Gets user's real name.
+     *
+     * @return string Name
+     */
+    protected function _getName()
+    {
+        $name = isset($this->_properties['name']) ? $this->_properties['name'] : '';
+
+        return h($name);
+    }
+
     /**
      * Gets user avatar image's URL.
      *

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.