cvedb.io
CVE-2017-16635
MEDIUM · CVSS 5.4
EPSS exploitation probability: 0%
Published 2017-11-06T22:29:00.413 · Last modified 2026-06-17T01:09:35.490

Summary

In TinyWebGallery v2.4, an XSS vulnerability is located in the `mkname`, `mkitem`, and `item` parameters of the `Add/Create` module. Remote attackers with low-privilege user accounts for backend access are able to inject malicious script codes into the `TWG Explorer` item listing. The request method to inject is POST and the attack vector is located on the application-side of the service. The injection point is the add/create input field and the execution point occurs in the item listing after the add or create.

Affected products

tinywebgallery — tinywebgallery

Does this affect you?

Add your gear to cvedb and we'll alert you only when tinywebgallery ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.