Elefant CMS extended Reflected cross site scriting
Description
A vulnerability has been found in Elefant CMS 1.3.12-RC and classified as problematic. This vulnerability affects unknown code of the file /admin/extended. The manipulation of the argument name with the input %3Cimg%20src=no%20onerror=alert(1)%3E leads to basic cross site scripting (Reflected). The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.3.13 is able to address this issue. It is recommended to upgrade the affected component.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Elefant CMS 1.3.12-RC has a reflected XSS vulnerability in the `/admin/extended` endpoint via the `name` parameter.
Vulnerability
Description
CVE-2017-20061 describes a reflected cross-site scripting (XSS) vulnerability found in the administrative interface of Elefant CMS version 1.3.12-RC. The flaw resides in the /admin/extended file, where the name parameter is not properly sanitized. By injecting a payload such as %3Cimg%20src=no%20onerror=alert(1)%3E (which decodes to ``), an attacker can cause arbitrary JavaScript to execute in the context of the victim's browser session [1].
Exploitation and
Attack Surface
The attack is remotely exploitable and does not require authentication, as the /admin path is accessible to any user in the default configuration, although an administrator must be logged in for the XSS to be triggered within the admin session. The attacker can craft a malicious link and trick an authenticated administrator into clicking it, leading to script execution [1].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript within the administrative interface. This can lead to session hijacking, defacement of admin pages, or theft of sensitive information such as admin credentials or configuration data. The vulnerability is classified as "problematic" by the vendor [1].
Mitigation
The issue is resolved in Elefant CMS version 1.3.13. Users are strongly advised to upgrade to this version or later. No workarounds have been provided by the vendor. The exploit details have been publicly disclosed, increasing the risk for unpatched installations [1]. The project source code is available on GitHub [2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
elefant/cmsPackagist | < 1.3.13 | 1.3.13 |
Affected products
2- Elefant/CMSv5Range: 1.3.12-RC
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-hgm9-pww2-93pcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-20061ghsaADVISORY
- seclists.org/fulldisclosure/2017/Feb/36ghsax_refsource_MISCWEB
- vuldb.comghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.