Vulnerabilities > CVE-2017-0897 - Insufficient Entropy vulnerability in Expressionengine
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
NONE Availability impact
NONE Summary
ExpressionEngine version 2.x < 2.11.8 and version 3.x < 3.5.5 create an object signing token with weak entropy. Successfully guessing the token can lead to remote code execution.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
References
- http://www.securityfocus.com/bid/99242
- http://www.securityfocus.com/bid/99242
- https://docs.expressionengine.com/latest/about/changelog.html#version-3-5-5
- https://docs.expressionengine.com/latest/about/changelog.html#version-3-5-5
- https://docs.expressionengine.com/v2/about/changelog.html#version-2-11-8
- https://docs.expressionengine.com/v2/about/changelog.html#version-2-11-8
- https://expressionengine.com/blog/expressionengine-3.5.5-and-2.11.8-released
- https://expressionengine.com/blog/expressionengine-3.5.5-and-2.11.8-released
- https://hackerone.com/reports/215890
- https://hackerone.com/reports/215890