{"api_version":"1","generated_at":"2026-04-23T11:32:20+00:00","cve":"CVE-2017-11398","urls":{"html":"https://cve.report/CVE-2017-11398","api":"https://cve.report/api/cve/CVE-2017-11398.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2017-11398","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2017-11398"},"summary":{"title":"CVE-2017-11398","description":"A session hijacking via log disclosure vulnerability in Trend Micro Smart Protection Server (Standalone) versions 3.2 and below could allow an unauthenticated attacker to hijack active user sessions to perform authenticated requests on a vulnerable system.","state":"PUBLIC","assigner":"security@trendmicro.com","published_at":"2018-01-19 19:29:00","updated_at":"2019-10-09 23:22:00"},"problem_types":["CWE-534"],"metrics":[],"references":[{"url":"http://www.securityfocus.com/bid/102275","name":"102275","refsource":"BID","tags":["Third Party Advisory","VDB Entry"],"title":"Trend Micro Smart Protection Server Multiple Security Vulnerabilities","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://success.trendmicro.com/solution/1118992","name":"https://success.trendmicro.com/solution/1118992","refsource":"CONFIRM","tags":["Vendor Advisory"],"title":"SECURITY BULLETIN: Trend Micro Smart Protection Server (Standalone) Multiple Vulnerabilities","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.coresecurity.com/advisories/trend-micro-smart-protection-server-multiple-vulnerabilities","name":"https://www.coresecurity.com/advisories/trend-micro-smart-protection-server-multiple-vulnerabilities","refsource":"MISC","tags":["Exploit","Third Party Advisory"],"title":"Trend Micro Smart Protection Server Multiple Vulnerabilities | Core Security","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.exploit-db.com/exploits/43388/","name":"43388","refsource":"EXPLOIT-DB","tags":["Third Party Advisory","VDB Entry"],"title":"Trend Micro Smart Protection Server - Session Hijacking / Log File Disclosure / Remote Command Execution / Cron Job Injection / Local File Inclusion / Stored Cross-Site Scripting / Improper Access Control - Multiple remote Exploit","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2017-11398","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-11398","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2017","cve_id":"11398","vulnerable":"1","versionEndIncluding":"3.2","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"trendmicro","cpe5":"smart_protection_server","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"security@trendmicro.com","ID":"CVE-2017-11398","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"Trend Micro Smart Protection Server (Standalone)","version":{"version_data":[{"version_value":"3.0, 3.1, 3.2"}]}}]},"vendor_name":"Trend Micro"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"A session hijacking via log disclosure vulnerability in Trend Micro Smart Protection Server (Standalone) versions 3.2 and below could allow an unauthenticated attacker to hijack active user sessions to perform authenticated requests on a vulnerable system."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"OTHER - Information Exposure Through Log Files (CWE-285)"}]}]},"references":{"reference_data":[{"name":"43388","refsource":"EXPLOIT-DB","url":"https://www.exploit-db.com/exploits/43388/"},{"name":"102275","refsource":"BID","url":"http://www.securityfocus.com/bid/102275"},{"name":"https://success.trendmicro.com/solution/1118992","refsource":"CONFIRM","url":"https://success.trendmicro.com/solution/1118992"},{"name":"https://www.coresecurity.com/advisories/trend-micro-smart-protection-server-multiple-vulnerabilities","refsource":"MISC","url":"https://www.coresecurity.com/advisories/trend-micro-smart-protection-server-multiple-vulnerabilities"}]}},"nvd":{"publishedDate":"2018-01-19 19:29:00","lastModifiedDate":"2019-10-09 23:22:00","problem_types":["CWE-534"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:P/I:P/A:P","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":6.8},"severity":"MEDIUM","exploitabilityScore":8.6,"impactScore":6.4,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:trendmicro:smart_protection_server:*:*:*:*:*:*:*:*","versionEndIncluding":"3.2","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2017","CveId":"11398","Ordinal":"108540","Title":"CVE-2017-11398","CVE":"CVE-2017-11398","Year":"2017"},"notes":[{"CveYear":"2017","CveId":"11398","Ordinal":"1","NoteData":"A session hijacking via log disclosure vulnerability in Trend Micro Smart Protection Server (Standalone) versions 3.2 and below could allow an unauthenticated attacker to hijack active user sessions to perform authenticated requests on a vulnerable system.","Type":"Description","Title":null},{"CveYear":"2017","CveId":"11398","Ordinal":"2","NoteData":"2018-01-19","Type":"Other","Title":"Published"},{"CveYear":"2017","CveId":"11398","Ordinal":"3","NoteData":"2018-01-20","Type":"Other","Title":"Modified"}]}}}