Vulnerability Details : CVE-2016-9891
Cross-site scripting (XSS) vulnerability in admin/media.php and admin/media_item.php in Dotclear before 2.11 allows remote authenticated users to inject arbitrary web script or HTML via the upfiletitle or media_title parameter (aka the media title).
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2016-9891
- cpe:2.3:a:dotclear:dotclear:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2016-9891
0.15%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 50 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2016-9891
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
3.5
|
LOW | AV:N/AC:M/Au:S/C:N/I:P/A:N |
6.8
|
2.9
|
NIST | |
5.4
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
2.3
|
2.7
|
NIST |
CWE ids for CVE-2016-9891
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2016-9891
-
http://www.securityfocus.com/bid/95156
Dotclear CVE-2016-9891 Multiple Cross Site Scripting VulnerabilitiesThird Party Advisory;VDB Entry
-
https://dotclear.org/blog/post/2016/12/28/Dotclear-2.11
Dotclear 2.11 › Dotclear News › Dotclear › Blog management made easyRelease Notes;Vendor Advisory
-
https://smarterbitbybit.com/cve-2016-9891-dotclear-xss-vulnerability-in-version-2-10-4/
Page not found - SmarterBitbyBitThird Party Advisory
-
https://dev.dotclear.org/2.0/ticket/2224
#2224 (Security vulnerability in Dotclear version 2.10.4) – Dev Dotclear 2Issue Tracking
-
https://dev.dotclear.org/2.0/changeset/5536ac77e915
Changeset 3440:5536ac77e915 – Dev Dotclear 2Issue Tracking;Patch
-
https://hg.dotclear.org/dotclear/rev/712559193a6e
Dotclear: changeset 3469:712559193a6eRelease Notes;Vendor Advisory
Jump to