Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2017-11398

CWE-285 CWE-5344 documents4 sources

Severity

8.8HIGH

EPSS

5.4%

top 9.93%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Trendmicro Smart Protection Server Trend Micro Trend Micro Smart Protection Server (standalone)

Timeline

PublishedJan 19

Latest updateMay 13

Description

A session hijacking via log disclosure vulnerability in Trend Micro Smart Protection Server (Standalone) versions 3.2 and below could allow an unauthenticated attacker to hijack active user sessions to perform authenticated requests on a vulnerable system.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5trend_micro/trend_micro_smart_protection_server_(standalone)3.0, 3.1, 3.2

▶NVDtrendmicro/smart_protection_server3.2

🔴Vulnerability Details

GHSA

GHSA-gw2x-h452-c92v: A session hijacking via log disclosure vulnerability in Trend Micro Smart Protection Server (Standalone) versions 3↗2022-05-13

▶

CVEList

CVE-2017-11398: A session hijacking via log disclosure vulnerability in Trend Micro Smart Protection Server (Standalone) versions 3↗2018-01-19

▶

💥Exploits & PoCs

Exploit-DB

Trend Micro Smart Protection Server - Session Hijacking / Log File Disclosure / Remote Command Execution / Cron Job Injection / Local File Inclusion / Stored Cross-Site Scripting / Improper Access Con↗2017-12-19

▶