{"api_version":"1","generated_at":"2026-05-15T07:55:19+00:00","cve":"CVE-2014-7264","urls":{"html":"https://cve.report/CVE-2014-7264","api":"https://cve.report/api/cve/CVE-2014-7264.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2014-7264","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2014-7264"},"summary":{"title":"CVE-2014-7264","description":"Multiple cross-site scripting (XSS) vulnerabilities in admin/themes/default/pages/manage_users.twig in the Users Management feature in the admin component in Chyrp before 2.5.1 allow remote authenticated users to inject arbitrary web script or HTML via the (1) user.email or (2) user.website field in a user registration.","state":"PUBLISHED","assigner":"jpcert","published_at":"2014-12-11 23:59:01","updated_at":"2026-05-06 22:30:45"},"problem_types":["CWE-79","n/a"],"metrics":[{"version":"2.0","source":"nvd@nist.gov","type":"Primary","score":"3.5","severity":"","vector":"AV:N/AC:M/Au:S/C:N/I:P/A:N","data":{"version":"2.0","vectorString":"AV:N/AC:M/Au:S/C:N/I:P/A:N","baseScore":3.5,"accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"SINGLE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE"}}],"references":[{"url":"http://jvn.jp/en/jp/JVN13160869/index.html","name":"http://jvn.jp/en/jp/JVN13160869/index.html","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Vendor Advisory"],"title":"JVN#13160869: Chyrp vulnerable to cross-site scripting","mime":"text/xml","httpstatus":"200","archivestatus":"200"},{"url":"http://jvndb.jvn.jp/jvndb/JVNDB-2014-000149","name":"http://jvndb.jvn.jp/jvndb/JVNDB-2014-000149","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Vendor Advisory"],"title":"","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"http://chyrp.net/2014/11/18/chyrp-251-security-release/","name":"http://chyrp.net/2014/11/18/chyrp-251-security-release/","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Vendor Advisory"],"title":"Site not found · GitHub Pages","mime":"text/html","httpstatus":"404","archivestatus":"404"},{"url":"https://github.com/chyrp/chyrp/commit/43d1b6b266363ae7545d5d49851034eaeec7bebb","name":"https://github.com/chyrp/chyrp/commit/43d1b6b266363ae7545d5d49851034eaeec7bebb","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Vendor Advisory"],"title":"Fixed a potential XSS vulnerability. · chyrp/chyrp@43d1b6b · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2014-7264","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2014-7264","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"n/a","product":"n/a","version":"affected n/a","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2014","cve_id":"7264","vulnerable":"1","versionEndIncluding":"2.5","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"chyrp","cpe5":"chyrp","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"providerMetadata":{"dateUpdated":"2024-08-06T12:47:32.392Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"name":"JVNDB-2014-000149","tags":["third-party-advisory","x_refsource_JVNDB","x_transferred"],"url":"http://jvndb.jvn.jp/jvndb/JVNDB-2014-000149"},{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"http://chyrp.net/2014/11/18/chyrp-251-security-release/"},{"name":"JVN#13160869","tags":["third-party-advisory","x_refsource_JVN","x_transferred"],"url":"http://jvn.jp/en/jp/JVN13160869/index.html"},{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://github.com/chyrp/chyrp/commit/43d1b6b266363ae7545d5d49851034eaeec7bebb"}],"title":"CVE Program Container"}],"cna":{"affected":[{"product":"n/a","vendor":"n/a","versions":[{"status":"affected","version":"n/a"}]}],"datePublic":"2014-12-10T00:00:00.000Z","descriptions":[{"lang":"en","value":"Multiple cross-site scripting (XSS) vulnerabilities in admin/themes/default/pages/manage_users.twig in the Users Management feature in the admin component in Chyrp before 2.5.1 allow remote authenticated users to inject arbitrary web script or HTML via the (1) user.email or (2) user.website field in a user registration."}],"problemTypes":[{"descriptions":[{"description":"n/a","lang":"en","type":"text"}]}],"providerMetadata":{"dateUpdated":"2014-12-11T22:57:01.000Z","orgId":"ede6fdc4-6654-4307-a26d-3331c018e2ce","shortName":"jpcert"},"references":[{"name":"JVNDB-2014-000149","tags":["third-party-advisory","x_refsource_JVNDB"],"url":"http://jvndb.jvn.jp/jvndb/JVNDB-2014-000149"},{"tags":["x_refsource_CONFIRM"],"url":"http://chyrp.net/2014/11/18/chyrp-251-security-release/"},{"name":"JVN#13160869","tags":["third-party-advisory","x_refsource_JVN"],"url":"http://jvn.jp/en/jp/JVN13160869/index.html"},{"tags":["x_refsource_CONFIRM"],"url":"https://github.com/chyrp/chyrp/commit/43d1b6b266363ae7545d5d49851034eaeec7bebb"}],"x_legacyV4Record":{"CVE_data_meta":{"ASSIGNER":"vultures@jpcert.or.jp","ID":"CVE-2014-7264","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Multiple cross-site scripting (XSS) vulnerabilities in admin/themes/default/pages/manage_users.twig in the Users Management feature in the admin component in Chyrp before 2.5.1 allow remote authenticated users to inject arbitrary web script or HTML via the (1) user.email or (2) user.website field in a user registration."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"name":"JVNDB-2014-000149","refsource":"JVNDB","url":"http://jvndb.jvn.jp/jvndb/JVNDB-2014-000149"},{"name":"http://chyrp.net/2014/11/18/chyrp-251-security-release/","refsource":"CONFIRM","url":"http://chyrp.net/2014/11/18/chyrp-251-security-release/"},{"name":"JVN#13160869","refsource":"JVN","url":"http://jvn.jp/en/jp/JVN13160869/index.html"},{"name":"https://github.com/chyrp/chyrp/commit/43d1b6b266363ae7545d5d49851034eaeec7bebb","refsource":"CONFIRM","url":"https://github.com/chyrp/chyrp/commit/43d1b6b266363ae7545d5d49851034eaeec7bebb"}]}}}},"cveMetadata":{"assignerOrgId":"ede6fdc4-6654-4307-a26d-3331c018e2ce","assignerShortName":"jpcert","cveId":"CVE-2014-7264","datePublished":"2014-12-11T23:00:00.000Z","dateReserved":"2014-09-30T00:00:00.000Z","dateUpdated":"2024-08-06T12:47:32.392Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.1"},"nvd":{"publishedDate":"2014-12-11 23:59:01","lastModifiedDate":"2026-05-06 22:30:45","problem_types":["CWE-79","n/a"],"metrics":{"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:M/Au:S/C:N/I:P/A:N","baseScore":3.5,"accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"SINGLE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE"},"baseSeverity":"LOW","exploitabilityScore":6.8,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:chyrp:chyrp:*:*:*:*:*:*:*:*","versionEndIncluding":"2.5","matchCriteriaId":"652DFCF3-D234-41A7-9280-7C52FC22655E"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2014","CveId":"7264","Ordinal":"1","Title":"CVE-2014-7264","CVE":"CVE-2014-7264","Year":"2014"},"notes":[{"CveYear":"2014","CveId":"7264","Ordinal":"1","NoteData":"Multiple cross-site scripting (XSS) vulnerabilities in admin/themes/default/pages/manage_users.twig in the Users Management feature in the admin component in Chyrp before 2.5.1 allow remote authenticated users to inject arbitrary web script or HTML via the (1) user.email or (2) user.website field in a user registration.","Type":"Description","Title":"CVE-2014-7264"},{"CveYear":"2014","CveId":"7264","Ordinal":"2","NoteData":"2014-12-11","Type":"Other","Title":"Published"},{"CveYear":"2014","CveId":"7264","Ordinal":"3","NoteData":"2014-12-11","Type":"Other","Title":"Modified"}]}}}