CVE: CVE-2017-17889 Software: Kliqqi CMS Tested Version: 3.5.2 Release Date: 11.01.2017 Vulnerability Type: Cross-Site Scripting (CWE-79) Vulnerability Description Stored XSS (1): 1. Create a user with normal or moderator rights. 2. Login as the user. 3. Navigate to /pligg/groups.php and create a new group with group name "onmouseover=confirm(0)". 4. Navigate back to /pligg/groups.php and hover the cursor over the group’s avatar to trigger the payload. Stored XSS (2): 1. Login as a user. 2. Navigate to the user's profile settings page. 3. Update the Homepage to "javascript:alert(0)" and save. 4. The payload triggers upon URL click. DOM-based XSS: 1. Login as a normal user. 2. Navigate to /pligg/submit.php. 3. Enter in Tags. 4. The payload should trigger. Impact Inject malicious scripts. Access cookies, session tokens, sensitive information. Solution Migrated to Plikli CMS. Plikli CMS v4.0 includes a fix. Timeline Vulnerability found: 24.12.2017 Vendor informed: 24.12.2017 Vendor response: 24.12.2017 Fixed by vendor: 03.01.2018 Patched version released: 22.04.2018 Public advisory: 22.04.2018