{ "CVE_data_meta" : { "ASSIGNER" : "support@hackerone.com", "ID" : "CVE-2017-0897", "STATE" : "PUBLIC" }, "affects" : { "vendor" : { "vendor_data" : [ { "product" : { "product_data" : [ { "product_name" : "ExpressionEngine", "version" : { "version_data" : [ { "version_value" : "Versions before 2.11.8 and 3.5.5" } ] } } ] }, "vendor_name" : "EllisLab" } ] } }, "data_format" : "MITRE", "data_type" : "CVE", "data_version" : "4.0", "description" : { "description_data" : [ { "lang" : "eng", "value" : "ExpressionEngine version 2.x < 2.11.8 and version 3.x < 3.5.5 create an object signing token with weak entropy. Successfully guessing the token can lead to remote code execution." } ] }, "problemtype" : { "problemtype_data" : [ { "description" : [ { "lang" : "eng", "value" : "Use of Insufficiently Random Values (CWE-330)" } ] } ] }, "references" : { "reference_data" : [ { "name" : "https://hackerone.com/reports/215890", "refsource" : "MISC", "url" : "https://hackerone.com/reports/215890" }, { "name" : "https://docs.expressionengine.com/latest/about/changelog.html#version-3-5-5", "refsource" : "CONFIRM", "url" : "https://docs.expressionengine.com/latest/about/changelog.html#version-3-5-5" }, { "name" : "https://docs.expressionengine.com/v2/about/changelog.html#version-2-11-8", "refsource" : "CONFIRM", "url" : "https://docs.expressionengine.com/v2/about/changelog.html#version-2-11-8" }, { "name" : "https://expressionengine.com/blog/expressionengine-3.5.5-and-2.11.8-released", "refsource" : "CONFIRM", "url" : "https://expressionengine.com/blog/expressionengine-3.5.5-and-2.11.8-released" }, { "name" : "99242", "refsource" : "BID", "url" : "http://www.securityfocus.com/bid/99242" } ] } }