Elefant CMS Persistent cross site scriting
Description
A vulnerability classified as problematic has been found in Elefant CMS 1.3.12-RC. Affected is an unknown function. The manipulation of the argument username leads to basic cross site scripting (Persistent). It is possible to launch the attack remotely. Upgrading to version 1.3.13 is able to address this issue. It is recommended to upgrade the affected component.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A persistent XSS vulnerability in Elefant CMS 1.3.12-RC via the username argument allows remote unauthenticated attackers to inject malicious scripts.
Vulnerability
CVE-2017-20057 describes a persistent cross-site scripting vulnerability in the username handling of an unknown function in Elefant CMS version 1.3.12-RC [1]. The vulnerability is classified as problematic and arises because user-supplied input to the username argument is not properly sanitized before being stored or rendered, allowing an attacker to inject arbitrary HTML and JavaScript [1].
Exploitation
An attacker can exploit this vulnerability remotely without requiring authentication [1]. The attack vector involves submitting a malicious payload in the username field, which, when stored by the application and subsequently viewed by other users, executes the injected script in the context of the victim's browser session [1]. No special privileges or complex network access conditions are needed, making the attack surface accessible to any remote visitor.
Impact
Successful exploitation allows the attacker to perform actions that the victim can, such as accessing session cookies, modifying page content, or defacing the CMS [1]. Because the XSS is persistent (stored), every user who visits the affected page or function is at risk, increasing the potential reach of an attack.
Mitigation
The vendor has addressed this vulnerability in Elefant CMS version 1.3.13 [1]. Users are strongly recommended to upgrade to this or a later release to eliminate the risk. The Elefant project provides a migration path and documentation to assist administrators with the upgrade [2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
elefant/cmsPackagist | < 1.3.13 | 1.3.13 |
Affected products
2- Elefant/CMSv5Range: 1.3.12-RC
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-xwj7-29j7-rw76ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-20057ghsaADVISORY
- seclists.org/fulldisclosure/2017/Feb/36ghsax_refsource_MISCWEB
- vuldb.comghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.