CVEs-PoC/2017/CVE-2017-16635.md

### [CVE-2017-16635](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16635)
![](https://img.shields.io/static/v1?label=Product&message=n%2Fa&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=n%2Fa&color=blue)
![](https://img.shields.io/static/v1?label=Vulnerability&message=n%2Fa&color=brighgreen)

### Description

In TinyWebGallery v2.4, an XSS vulnerability is located in the `mkname`, `mkitem`, and `item` parameters of the `Add/Create` module. Remote attackers with low-privilege user accounts for backend access are able to inject malicious script codes into the `TWG Explorer` item listing. The request method to inject is POST and the attack vector is located on the application-side of the service. The injection point is the add/create input field and the execution point occurs in the item listing after the add or create.

### POC

#### Reference
- https://www.vulnerability-lab.com/get_content.php?id=1997

#### Github
No PoCs found on GitHub currently.