{"api_version":"1","generated_at":"2026-04-23T04:40:58+00:00","cve":"CVE-2011-2217","urls":{"html":"https://cve.report/CVE-2011-2217","api":"https://cve.report/api/cve/CVE-2011-2217.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2011-2217","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2011-2217"},"summary":{"title":"CVE-2011-2217","description":"Certain ActiveX controls in (1) tsgetxu71ex552.dll and (2) tsgetx71ex552.dll in Tom Sawyer GET Extension Factory 5.5.2.237, as used in VI Client (aka VMware Infrastructure Client) 2.0.2 before Build 230598 and 2.5 before Build 204931 in VMware Infrastructure 3, do not properly handle attempted initialization within Internet Explorer, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted HTML document.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2011-06-06 19:55:00","updated_at":"2017-08-29 01:29:00"},"problem_types":["CWE-119"],"metrics":[],"references":[{"url":"http://www.securityfocus.com/bid/48099","name":"48099","refsource":"BID","tags":[],"title":"Tom Sawyer Software GET Extension Factory Object Initialization Memory Corruption Vulnerability","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/67816","name":"vmware-viclient-code-exec(67816)","refsource":"XF","tags":[],"title":"IBM X-Force Exchange","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.vmware.com/security/advisories/VMSA-2011-0009.html","name":"http://www.vmware.com/security/advisories/VMSA-2011-0009.html","refsource":"CONFIRM","tags":["Vendor Advisory"],"title":"VMSA-2011-0009.3","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=911","name":"20110603 Tom Sawyer GET Extension Factory COM Object Instantiation Memory Corruption Vulnerability","refsource":"IDEFENSE","tags":[],"title":"iDefense Security Intelligence Services - Information Security Services - Verisign","mime":"text/xml","httpstatus":"-1","archivestatus":"200"},{"url":"http://secunia.com/advisories/44844","name":"44844","refsource":"SECUNIA","tags":[],"title":"Tom Sawyer GET Extension Factory Object Instantiation Memory Corruption Vulnerability - Secunia.com","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://secunia.com/advisories/44826","name":"44826","refsource":"SECUNIA","tags":["Vendor Advisory"],"title":"VMware Products VI Client ActiveX Control Memory Corruption Vulnerability - Advisories - Community","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://securitytracker.com/id?1025602","name":"1025602","refsource":"SECTRACK","tags":[],"title":"VMware VI Client ActiveX Control Lets Remote Users Execute Arbitrary Code - SecurityTracker","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2011-2217","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2011-2217","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2011","cve_id":"2217","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"tomsawyer","cpe5":"get_extension_factory","cpe6":"5.5.2.237","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2011","cve_id":"2217","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"tomsawyer","cpe5":"get_extension_factory","cpe6":"5.5.2.237","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2011","cve_id":"2217","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"vmware","cpe5":"infrastructure","cpe6":"3","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2011","cve_id":"2217","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"vmware","cpe5":"infrastructure","cpe6":"3","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2011","cve_id":"2217","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"vmware","cpe5":"virtual_infrastructure_client","cpe6":"2.0.2","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2011","cve_id":"2217","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"vmware","cpe5":"virtual_infrastructure_client","cpe6":"2.5","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2011","cve_id":"2217","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"vmware","cpe5":"virtual_infrastructure_client","cpe6":"2.0.2","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2011","cve_id":"2217","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"vmware","cpe5":"virtual_infrastructure_client","cpe6":"2.5","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2011-2217","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Certain ActiveX controls in (1) tsgetxu71ex552.dll and (2) tsgetx71ex552.dll in Tom Sawyer GET Extension Factory 5.5.2.237, as used in VI Client (aka VMware Infrastructure Client) 2.0.2 before Build 230598 and 2.5 before Build 204931 in VMware Infrastructure 3, do not properly handle attempted initialization within Internet Explorer, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted HTML document."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"name":"vmware-viclient-code-exec(67816)","refsource":"XF","url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/67816"},{"name":"20110603 Tom Sawyer GET Extension Factory COM Object Instantiation Memory Corruption Vulnerability","refsource":"IDEFENSE","url":"http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=911"},{"name":"44844","refsource":"SECUNIA","url":"http://secunia.com/advisories/44844"},{"name":"http://www.vmware.com/security/advisories/VMSA-2011-0009.html","refsource":"CONFIRM","url":"http://www.vmware.com/security/advisories/VMSA-2011-0009.html"},{"name":"48099","refsource":"BID","url":"http://www.securityfocus.com/bid/48099"},{"name":"44826","refsource":"SECUNIA","url":"http://secunia.com/advisories/44826"},{"name":"1025602","refsource":"SECTRACK","url":"http://securitytracker.com/id?1025602"}]}},"nvd":{"publishedDate":"2011-06-06 19:55:00","lastModifiedDate":"2017-08-29 01:29:00","problem_types":["CWE-119"],"metrics":{"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:C/I:C/A:C","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"COMPLETE","integrityImpact":"COMPLETE","availabilityImpact":"COMPLETE","baseScore":9.3},"severity":"HIGH","exploitabilityScore":8.6,"impactScore":10,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"AND","children":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:tomsawyer:get_extension_factory:5.5.2.237:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:vmware:virtual_infrastructure_client:2.0.2:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:vmware:virtual_infrastructure_client:2.5:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:vmware:infrastructure:3:*:*:*:*:*:*:*","cpe_name":[]}]}],"cpe_match":[]}]}},"legacy_mitre":{"record":{"CveYear":"2011","CveId":"2217","Ordinal":"49420","Title":"CVE-2011-2217","CVE":"CVE-2011-2217","Year":"2011"},"notes":[{"CveYear":"2011","CveId":"2217","Ordinal":"1","NoteData":"Certain ActiveX controls in (1) tsgetxu71ex552.dll and (2) tsgetx71ex552.dll in Tom Sawyer GET Extension Factory 5.5.2.237, as used in VI Client (aka VMware Infrastructure Client) 2.0.2 before Build 230598 and 2.5 before Build 204931 in VMware Infrastructure 3, do not properly handle attempted initialization within Internet Explorer, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted HTML document.","Type":"Description","Title":null},{"CveYear":"2011","CveId":"2217","Ordinal":"2","NoteData":"2011-06-06","Type":"Other","Title":"Published"},{"CveYear":"2011","CveId":"2217","Ordinal":"3","NoteData":"2017-08-28","Type":"Other","Title":"Modified"}]}}}