Back to CVE Browser

CVE-2017-16896

CRITICAL

9.8

CVSS Severity Score

EPSS Score0.0720%

EPSS Percentile10.65th

PublishedNov 20, 2017

Last ModifiedMay 13, 2026

Vulnerability Description

A SQL injection in classes/handler/public.php in the forgotpass component of Tiny Tiny RSS 17.4 exists via the login parameter.

Affected Platforms (CPE)

📦

Tt Rss

Tiny Tiny Rss

= 17.4

References & Advisories

🔗 https://discourse.tt-rss.org/t/sql-injection-in-forgotpass-fixed/669

🔗 https://git.tt-rss.org/git/tt-rss/commit/2352c320c2ed34ec7df1ad22f0c55a1b26489815

🔗 https://discourse.tt-rss.org/t/sql-injection-in-forgotpass-fixed/669

🔗 https://git.tt-rss.org/git/tt-rss/commit/2352c320c2ed34ec7df1ad22f0c55a1b26489815

Related Vulnerabilities

CVE-2020-257879.8

An issue was discovered in Tiny Tiny RSS (aka tt-rss) before 2020-09-16. It does not validate all URLs before requesting them.

CVE-2020-257888.1

An issue was discovered in Tiny Tiny RSS (aka tt-rss) before 2020-09-16. imgproxy in plugins/af_proxy_http/init.php mishandles $_R...

CVE-2021-283737.5

The auth_internal plugin in Tiny Tiny RSS (aka tt-rss) before 2021-03-12 allows an attacker to log in via the OTP code without a v...

CVE-2020-257896.1

An issue was discovered in Tiny Tiny RSS (aka tt-rss) before 2020-09-16. The cached_url feature mishandles JavaScript inside an SV...