CVE-2017-11398 - A session hijacking via log disclosure vulnerability in Trend Micro Smart Protection Server (Standal

CVE-2017-11398

Summary

A session hijacking via log disclosure vulnerability in Trend Micro Smart Protection Server (Standalone) versions 3.2 and below could allow an unauthenticated attacker to hijack active user sessions to perform authenticated requests on a vulnerable system.

References

Vulnerable Configurations

cpe:2.3:a:trendmicro:smart_protection_server:3.0:*:*:*:*:*:*:*
cpe:2.3:a:trendmicro:smart_protection_server:3.0:*:*:*:*:*:*:*
cpe:2.3:a:trendmicro:smart_protection_server:3.1:*:*:*:*:*:*:*
cpe:2.3:a:trendmicro:smart_protection_server:3.1:*:*:*:*:*:*:*
cpe:2.3:a:trendmicro:smart_protection_server:3.2:*:*:*:*:*:*:*
cpe:2.3:a:trendmicro:smart_protection_server:3.2:*:*:*:*:*:*:*

CVSS

Base:	6.8 (as of 09-10-2019 - 23:22)
Impact:
Exploitability:

CWE

CWE-534

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	MEDIUM	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

cvss-vector via4

AV:N/AC:M/Au:N/C:P/I:P/A:P

d2sec via4

name	Trend Micro Smart Protection Server Encryption Key Disclosure
url	http://www.d2sec.com/exploits/trend_micro_smart_protection_server_encryption_key_disclosure.html

refmap via4

bid	102275
confirm	https://success.trendmicro.com/solution/1118992
exploit-db	43388
misc	https://www.coresecurity.com/advisories/trend-micro-smart-protection-server-multiple-vulnerabilities

Last major update

09-10-2019 - 23:22

Published

19-01-2018 - 19:29

Last modified

09-10-2019 - 23:22