Medium severity6.1NVD Advisory· Published Mar 21, 2017· Updated May 13, 2026
CVE-2017-7204
CVE-2017-7204
Description
A Cross-Site Scripting (XSS) was discovered in imdbphp 5.1.1. The vulnerability exists due to insufficient filtration of user-supplied data (name) passed to the "imdbphp-master/demo/search.php" URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
imdbphp/imdbphpPackagist | < 5.2.0 | 5.2.0 |
Affected products
1- cpe:2.3:a:imdbphp_project:imdbphp:5.1.1:*:*:*:*:*:*:*
Patches
15875c75c6ca6Fix input reflection on search page. Closes #88
2 files changed · +7 −2
demo/inc.php+4 −0 added@@ -0,0 +1,4 @@ +<?php +function esc($str) { + return htmlspecialchars($str); +}
demo/search.php+3 −2 modified@@ -11,6 +11,7 @@ # Search for $name and display results # ############################################################################# require __DIR__ . "/../bootstrap.php"; +require "inc.php"; # If MID has been explicitly given, we don't need to search: if (!empty($_GET["mid"]) && preg_match('/^[0-9]+$/',$_GET["mid"])) { @@ -45,11 +46,11 @@ <!DOCTYPE html> <html> <head> - <title>Performing search for '<?php echo $_GET["name"] ?>' [IMDbPHP v<?php echo $search->version ?>]</title> + <title>Performing search for '<?php echo esc($_GET["name"]) ?>' [IMDbPHP v<?php echo $search->version ?>]</title> <style type="text/css">body,td,th,h2 { font-size:12px; font-family:sans-serif; } th { background-color:#ffb000; } h2 { text-align:center; font-size:15px; margin-top: 20px; margin-bottom:0; }</style> </head> <body> - <h2>[IMDBPHP v<?php echo $search->version ?> Demo] Search results for '<?php echo $_GET["name"] ?>':</h2> + <h2>[IMDBPHP v<?php echo $search->version ?> Demo] Search results for '<?php echo esc($_GET["name"]) ?>':</h2> <table align="center" border="1" style="border-collapse:collapse;margin-top:20px;"> <tr><th><?php echo $headname ?> Details</th><th>IMDb</th></tr> <?php foreach ($results as $res):
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/tboothman/imdbphp/issues/88nvdExploitPatchVendor AdvisoryWEB
- github.com/advisories/GHSA-8jxq-gpmr-h4g4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-7204ghsaADVISORY
- www.securityfocus.com/bid/97002nvdWEB
- github.com/tboothman/imdbphp/commit/5875c75c6ca6a53dc4faaaeca973150d380e88e2ghsaWEB
News mentions
0No linked articles in our index yet.