Security readout for executives and security teams
Plain-English summary
This flaw affects older versions of The Next Generation of Genealogy Sitebuilding. A logged-in remote user could abuse the primaryID parameter in timeline2.php to influence database queries, risking limited data exposure, tampering, or disruption. The cited sources say version 11.1.1 addresses it.
Executive priority
Treat this as a timely but not emergency upgrade for any exposed TNG site. Prioritize systems that are public-facing or allow many user accounts, because the flaw can affect confidentiality, integrity, and availability at a limited level.
Technical view
CVE-2017-20017 is a CWE-89 SQL injection in /timeline2.php, triggered through the primaryID argument in TNG up to 11.1.0. The CVSS 3.1 vector is AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L, score 6.3. Public disclosure is noted, but KEV does not list active exploitation.
Likely exposure
Exposure is most likely on internet-facing TNG genealogy sites running versions 11.0 or 11.1 up to 11.1.0. The attack requires low privileges, so risk is higher where user accounts are broadly available or weakly controlled.
Exploitation context
The source bundle states that exploitation can be initiated remotely and that exploit details have been publicly disclosed. There is no provided evidence of confirmed active exploitation, and the CVE is not marked as CISA KEV.
Researcher notes
Evidence is limited to the CVE record, CVE List data, and VulDB reference. The affected processing inside timeline2.php is described as unknown. Do not assume broader product versions, unauthenticated exploitation, or active exploitation without additional source evidence.
Mitigation direction
- Upgrade affected TNG installations to version 11.1.1.
- Confirm no TNG 11.0 or 11.1.0 deployments remain in production.
- Check vendor guidance before making compatibility or workaround decisions.
- Review access controls for accounts allowed to use the affected application.
Validation and detection
- Inventory public and internal sites running TNG genealogy software.
- Verify the installed TNG version on each identified site.
- Confirm whether /timeline2.php is present on affected deployments.
- Review application logs for unusual /timeline2.php requests involving primaryID.
- Retest version status after upgrading to 11.1.1.
Public sources used
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
CWE-89: Database access and collection lookup
Injection into data stores can inform collection, data access, and exfiltration detection reviews. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Open ATT&CK lookupDatabase behavior lookup
The CVE wording references database injection or access, so collection and exfiltration review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
Open ATT&CK lookupCVE-2017-20017 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
Open ATT&CK lookup- Severity
- Medium
- CVSS
- 6.3 (3.1)
- Known Exploited
- No
- Published
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CNA and ADP enrichment extracted from CVE v5
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
CVSS vector scores
1 official scoreWe collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L2.83.4Primary CVE scoreVulnerability scoring details
Base CVSS 3.1 score
6.3MediumVector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Source materials
- CVE List V5 sourceCVE List V5
- https://vuldb.com/?id.105833CVE reference · x_refsource_MISC
Products and packages named in the record
CWE details
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
