CVE-2017-12439 - Vulnerability Details - OpenCVE

SocuSoft Flash Slideshow Maker Professional through v5.20, when the advanced configuration is used, has an xml_path HTTP parameter that trusts user-supplied input, in conjunction with an unsafe XML configuration file. This has resultant content forgery, cross site scripting, and unvalidated redirection issues.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity High

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Socusoft	Flash Slideshow Maker

Configuration 1 [-]

cpe:2.3:a:socusoft:flash_slideshow_maker:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://packetstormsecurity.com/files/143542/Flash-Slideshow-Maker-Professional-XSS-Content-Forgery-Redirect.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2017-08-05T15:00:00

Updated: 2024-08-05T18:36:56.162Z

Reserved: 2017-08-04T00:00:00

Link: CVE-2017-12439

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2017-08-05T15:29:00.227

Modified: 2025-04-20T01:37:25.860

Link: CVE-2017-12439

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2017-08-05T00:00:00", "descriptions": [{"lang": "en", "value": "SocuSoft Flash Slideshow Maker Professional through v5.20, when the advanced configuration is used, has an xml_path HTTP parameter that trusts user-supplied input, in conjunction with an unsafe XML configuration file. This has resultant content forgery, cross site scripting, and unvalidated redirection issues."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-08-05T14:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://packetstormsecurity.com/files/143542/Flash-Slideshow-Maker-Professional-XSS-Content-Forgery-Redirect.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2017-12439", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "SocuSoft Flash Slideshow Maker Professional through v5.20, when the advanced configuration is used, has an xml_path HTTP parameter that trusts user-supplied input, in conjunction with an unsafe XML configuration file. This has resultant content forgery, cross site scripting, and unvalidated redirection issues."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://packetstormsecurity.com/files/143542/Flash-Slideshow-Maker-Professional-XSS-Content-Forgery-Redirect.html", "refsource": "MISC", "url": "https://packetstormsecurity.com/files/143542/Flash-Slideshow-Maker-Professional-XSS-Content-Forgery-Redirect.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T18:36:56.162Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://packetstormsecurity.com/files/143542/Flash-Slideshow-Maker-Professional-XSS-Content-Forgery-Redirect.html"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2017-12439", "datePublished": "2017-08-05T15:00:00", "dateReserved": "2017-08-04T00:00:00", "dateUpdated": "2024-08-05T18:36:56.162Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:socusoft:flash_slideshow_maker:*:*:*:*:*:*:*:*", "matchCriteriaId": "534D0800-1C0A-497F-809A-EB786E0E5982", "versionEndIncluding": "5.20", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "SocuSoft Flash Slideshow Maker Professional through v5.20, when the advanced configuration is used, has an xml_path HTTP parameter that trusts user-supplied input, in conjunction with an unsafe XML configuration file. This has resultant content forgery, cross site scripting, and unvalidated redirection issues."}, {"lang": "es", "value": "SocuSoft Flash Slideshow Maker Professional en su versi\u00f3n v5.20 (cuando se usa la configuraci\u00f3n avanzada) tiene un par\u00e1metro HTTP xml_path que conf\u00eda en las entradas proporcionadas por el usuario, adem\u00e1s de un archivo de configuraci\u00f3n XML no seguro. Esto da como resultado problemas de falsificaci\u00f3n de contenido, Cross-Site Scripting y cuestiones de redirecci\u00f3n sin validar."}], "id": "CVE-2017-12439", "lastModified": "2025-04-20T01:37:25.860", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 4.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-08-05T15:29:00.227", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "https://packetstormsecurity.com/files/143542/Flash-Slideshow-Maker-Professional-XSS-Content-Forgery-Redirect.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "https://packetstormsecurity.com/files/143542/Flash-Slideshow-Maker-Professional-XSS-Content-Forgery-Redirect.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "nvd@nist.gov", "type": "Primary"}]}