CVE-2017-0897

7.5 HIGH

Published: June 22, 2017 Modified: May 13, 2026

Description

ExpressionEngine version 2.x < 2.11.8 and version 3.x < 3.5.5 create an object signing token with weak entropy. Successfully guessing the token can lead to remote code execution.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

CVSS v3.x Details

0.0 Low Medium High Critical 10.0

Vector String

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory

http://www.securityfocus.com/bid/99242

Source: support@hackerone.com

Third Party Advisory VDB Entry

https://docs.expressionengine.com/latest/about/changelog.html#version-3-5-5

Source: support@hackerone.com

Vendor Advisory

https://docs.expressionengine.com/v2/about/changelog.html#version-2-11-8

Source: support@hackerone.com

Vendor Advisory

https://expressionengine.com/blog/expressionengine-3.5.5-and-2.11.8-released

Source: support@hackerone.com

Vendor Advisory

https://hackerone.com/reports/215890

Source: support@hackerone.com

Permissions Required

http://www.securityfocus.com/bid/99242