VIR Vulnerability Intelligence Relay

CVE-2014-7264

low
Published 2014-12-11 · Modified 2026-05-06
CVSS v3
CVSS v2
3.5
VIR risk
3.5

Description

Multiple cross-site scripting (XSS) vulnerabilities in admin/themes/default/pages/manage_users.twig in the Users Management feature in the admin component in Chyrp before 2.5.1 allow remote authenticated users to inject arbitrary web script or HTML via the (1) user.email or (2) user.website field in a user registration.

Predictions

Exploit likelihood
20%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: vultures@jpcert.or.jp — https://github.com/chyrp/chyrp/commit/43d1b6b266363ae7545d5d49851034eaeec7bebb

vendor Authored 2026-05-27

Vendor advisory: vultures@jpcert.or.jp — http://jvndb.jvn.jp/jvndb/JVNDB-2014-000149

vendor Authored 2026-05-27

Vendor advisory: vultures@jpcert.or.jp — http://jvn.jp/en/jp/JVN13160869/index.html

vendor Authored 2026-05-27

Vendor advisory: vultures@jpcert.or.jp — http://chyrp.net/2014/11/18/chyrp-251-security-release/

Application impact
VendorProductVersionsFixed
chyrpchyrp{"endIncluding":"2.5"}

References

CWEs

CWE-79

Verify integrity in audit chain (admin only). AS-IS.