Elefant CMS layout code injection
Description
A vulnerability was found in Elefant CMS 1.3.12-RC. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /designer/add/layout. The manipulation leads to code injection. The attack can be launched remotely. Upgrading to version 1.3.13 is able to address this issue. It is recommended to upgrade the affected component.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Elefant CMS 1.3.12-RC has a critical code injection vulnerability in /designer/add/layout, allowing remote unauthenticated attackers to execute arbitrary code.
Vulnerability
Overview CVE-2017-20064 describes a critical code injection vulnerability in Elefant CMS version 1.3.12-RC. The flaw resides in the /designer/add/layout file, where manipulation of input leads to code injection. The exact root cause is not publicly detailed, but the vulnerability is classified as critical due to the potential for remote exploitation. [1]
Exploitation
The attack can be launched remotely without requiring authentication, making it accessible to any network-connected attacker. The specific prerequisites or attack vector are not elaborated, but the remote nature suggests that the vulnerable endpoint is exposed by default. [1]
Impact
Successful exploitation allows an attacker to inject and execute arbitrary code on the server, potentially leading to full compromise of the CMS installation and underlying system. The CVSS score is not provided in the available references, but the "critical" designation indicates high severity. [1]
Mitigation
The vendor addressed the issue in Elefant CMS version 1.3.13. Users are strongly advised to upgrade to this version or later. The project is maintained on GitHub, where updates and release notes can be found. [1][2]
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
elefant/cmsPackagist | < 1.3.13 | 1.3.13 |
Affected products
2- Elefant/CMSv5Range: 1.3.12-RC
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-gx6v-67qv-rhx5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-20064ghsaADVISORY
- seclists.org/fulldisclosure/2017/Feb/39ghsax_refsource_MISCWEB
- vuldb.comghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.