Vulnerability Details CVE-2017-0912
Ubiquiti UCRM versions 2.5.0 to 2.7.7 are vulnerable to Stored Cross-site Scripting. Due to the lack sanitization, it is possible to inject arbitrary HTML code by manipulating the uploaded filename. Successful exploitation requires valid credentials to an account with "Edit" access to "Scheduling".
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 44.4%
CVSS Severity
CVSS v3 Score 5.4
CVSS v2 Score 3.5
References
Products affected by CVE-2017-0912
-
cpe:2.3:a:ui:ucrm:2.5.0
-
cpe:2.3:a:ui:ucrm:2.5.1
-
cpe:2.3:a:ui:ucrm:2.5.2
-
cpe:2.3:a:ui:ucrm:2.5.3
-
cpe:2.3:a:ui:ucrm:2.6.0
-
cpe:2.3:a:ui:ucrm:2.6.1
-
cpe:2.3:a:ui:ucrm:2.6.2
-
cpe:2.3:a:ui:ucrm:2.7.0
-
cpe:2.3:a:ui:ucrm:2.7.1
-
cpe:2.3:a:ui:ucrm:2.7.2
-
cpe:2.3:a:ui:ucrm:2.7.3
-
cpe:2.3:a:ui:ucrm:2.7.4
-
cpe:2.3:a:ui:ucrm:2.7.5
-
cpe:2.3:a:ui:ucrm:2.7.6
-
cpe:2.3:a:ui:ucrm:2.7.7