CVE-2017-0897

CVE-2017-0897

Vendor Ellislab
Product ExpressionEngine
Weakness CWE-330 · Insufficient randomness
Published June 22, 2017
Last update August 5, 2024

CVSS base score

What the vulnerability does

01Description

ExpressionEngine version 2.x < 2.11.8 and version 3.x < 3.5.5 create an object signing token with weak entropy. Successfully guessing the token can lead to remote code execution.

Key dates

02Disclosure timeline

June 22, 2017 CVE published
August 5, 2024 Record updated