Vulnerability Details : CVE-2017-11398
A session hijacking via log disclosure vulnerability in Trend Micro Smart Protection Server (Standalone) versions 3.2 and below could allow an unauthenticated attacker to hijack active user sessions to perform authenticated requests on a vulnerable system.
Vulnerability category: BypassGain privilege
Products affected by CVE-2017-11398
- cpe:2.3:a:trendmicro:smart_protection_server:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-11398
0.56%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 77 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-11398
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST | |
8.8
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST |
CWE ids for CVE-2017-11398
-
The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.Assigned by: security@trendmicro.com (Secondary)
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-11398
-
https://success.trendmicro.com/solution/1118992
Multiple vulnerabilities in Smart Protection ServerVendor Advisory
-
https://www.exploit-db.com/exploits/43388/
Trend Micro Smart Protection Server - Session Hijacking / Log File Disclosure / Remote Command Execution / Cron Job Injection / Local File Inclusion / Stored Cross-Site Scripting / Improper Access ConThird Party Advisory;VDB Entry
-
http://www.securityfocus.com/bid/102275
Trend Micro Smart Protection Server Multiple Security VulnerabilitiesThird Party Advisory;VDB Entry
-
https://www.coresecurity.com/advisories/trend-micro-smart-protection-server-multiple-vulnerabilities
Trend Micro Smart Protection Server Multiple Vulnerabilities | Core SecurityExploit;Third Party Advisory
Jump to