{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2017-20239", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-04-12T12:15:22.409Z", "datePublished": "2026-04-12T12:28:42.926Z", "dateUpdated": "2026-04-12T12:28:42.926Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-12T12:28:42.926Z"}, "title": "MDwiki Cross-Site Scripting via Location Hash Parameter", "descriptions": [{"lang": "en", "value": "MDwiki contains a cross-site scripting vulnerability that allows remote attackers to execute arbitrary JavaScript by injecting malicious code through the location hash parameter. Attackers can craft URLs with JavaScript payloads in the hash fragment that are parsed and rendered without sanitization, causing the injected scripts to execute in the victim's browser context."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "affected": [{"vendor": "Dynalon", "product": "MDwiki", "versions": [{"version": "0.6.2", "status": "affected"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 5.1, "baseSeverity": "MEDIUM", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS"}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS"}], "references": [{"url": "https://www.exploit-db.com/exploits/46097", "name": "ExploitDB-46097", "tags": ["exploit"]}, {"name": "VulnCheck Advisory: MDwiki Cross-Site Scripting via Location Hash Parameter", "tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/mdwiki-cross-site-scripting-via-location-hash-parameter"}], "x_generator": {"engine": "vulncheck"}, "datePublic": "2019-01-08T00:00:00.000Z"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "MDwiki contains a cross-site scripting vulnerability that allows remote attackers to execute arbitrary JavaScript by injecting malicious code through the location hash parameter. Attackers can craft URLs with JavaScript payloads in the hash fragment that are parsed and rendered without sanitization, causing the injected scripts to execute in the victim's browser context."}], "id": "CVE-2017-20239", "lastModified": "2026-04-13T15:01:43.663", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "disclosure@vulncheck.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-04-12T13:16:30.937", "references": [{"source": "disclosure@vulncheck.com", "url": "https://www.exploit-db.com/exploits/46097"}, {"source": "disclosure@vulncheck.com", "url": "https://www.vulncheck.com/advisories/mdwiki-cross-site-scripting-via-location-hash-parameter"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "0.6.2"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "MDwiki", "source": "cna", "vendor": "Dynalon"}, "product": "mdwiki", "vendor": "dynalon"}], "analysis": {"en": {"generated_at": "2026-04-12T13:26:06.325528+00:00", "value": {"mitigation_remediation": ["Check the Dynalon MDwiki vendor portal for a patch or update that sanitizes the location hash parameter.", "If no patch is available, temporarily block or remove the vulnerable endpoint from public access or employ a web application firewall rule to strip or sanitize JavaScript payloads from the hash fragment.", "Configure browsers or user gateways to warn or block content with suspicious hash fragments if possible."], "summary": {"action": "Patch", "impact": "Remote Code Execution via XSS"}, "threat_synthesis": {"affected_systems": "Dynalon MDwiki instances that have not applied the vendor\u2019s fix are vulnerable. Specific version information is not supplied in the available data, so any release of MDwiki that includes the unsanitized hash handling is at risk.", "description_and_impact": "The vulnerability in MDwiki, a content management system from Dynalon, allows remote attackers to inject malicious JavaScript into the location hash fragment of a URL. When a victim\u2019s browser renders the page, the injected script executes within the user\u2019s session, enabling attackers to steal session cookies, deface the site, or perform other actions as the authenticated user. The weakness is identified as a reflected Cross\u2011Site Scripting flaw.", "risk_and_exploitability": "The CVSS score of 5.1 indicates moderate severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no known widespread exploitation. The likely attack vector is a targeted web\u2011based attack where an adversary crafts a URL containing malicious code in the hash fragment and lures a victim into visiting it. Exploitation requires only a victim\u2019s browser to load the page; no additional credentials or privileges are needed beyond the victim\u2019s active session."}}}}, "created": "2026-04-13T12:41:25.437124+00:00", "updated": "2026-04-13T12:56:04.449001+00:00", "vendors": ["dynalon", "dynalon$PRODUCT$mdwiki"]}