{"api_version":"1","generated_at":"2026-04-23T07:55:56+00:00","cve":"CVE-2017-11617","urls":{"html":"https://cve.report/CVE-2017-11617","api":"https://cve.report/api/cve/CVE-2017-11617.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2017-11617","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2017-11617"},"summary":{"title":"CVE-2017-11617","description":"Cross-site scripting (XSS) vulnerability in atmail prior to version 7.8.0.2 allows remote attackers to inject arbitrary web script or HTML within the body of an email via an IMG element with both single quotes and double quotes.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2017-07-25 17:29:00","updated_at":"2017-07-28 17:03:00"},"problem_types":["CWE-79"],"metrics":[],"references":[{"url":"https://help.atmail.com/hc/en-us/articles/115007169147-Minor-Update-7-8-0-2-ActiveSync-2-3-6","name":"https://help.atmail.com/hc/en-us/articles/115007169147-Minor-Update-7-8-0-2-ActiveSync-2-3-6","refsource":"MISC","tags":["Vendor Advisory"],"title":"Minor Update 7.8.0.2/ActiveSync 2.3.6 – atmail help centre","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://www.bishopfox.com/blog/2017/06/how-i-built-an-xss-worm-on-atmail/","name":"https://www.bishopfox.com/blog/2017/06/how-i-built-an-xss-worm-on-atmail/","refsource":"MISC","tags":["Exploit","Technical Description","Third Party Advisory"],"title":"How I Built An XSS Worm On Atmail - Bishop Fox","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2017-11617","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-11617","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2017","cve_id":"11617","vulnerable":"1","versionEndIncluding":"7.8.0.1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"atmail","cpe5":"atmail","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2017-11617","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Cross-site scripting (XSS) vulnerability in atmail prior to version 7.8.0.2 allows remote attackers to inject arbitrary web script or HTML within the body of an email via an IMG element with both single quotes and double quotes."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"name":"https://www.bishopfox.com/blog/2017/06/how-i-built-an-xss-worm-on-atmail/","refsource":"MISC","url":"https://www.bishopfox.com/blog/2017/06/how-i-built-an-xss-worm-on-atmail/"},{"name":"https://help.atmail.com/hc/en-us/articles/115007169147-Minor-Update-7-8-0-2-ActiveSync-2-3-6","refsource":"MISC","url":"https://help.atmail.com/hc/en-us/articles/115007169147-Minor-Update-7-8-0-2-ActiveSync-2-3-6"}]}},"nvd":{"publishedDate":"2017-07-25 17:29:00","lastModifiedDate":"2017-07-28 17:03:00","problem_types":["CWE-79"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE","baseScore":6.1,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.8,"impactScore":2.7},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:N/I:P/A:N","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":4.3},"severity":"MEDIUM","exploitabilityScore":8.6,"impactScore":2.9,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:atmail:atmail:*:*:*:*:*:*:*:*","versionEndIncluding":"7.8.0.1","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2017","CveId":"11617","Ordinal":"108762","Title":"CVE-2017-11617","CVE":"CVE-2017-11617","Year":"2017"},"notes":[{"CveYear":"2017","CveId":"11617","Ordinal":"1","NoteData":"Cross-site scripting (XSS) vulnerability in atmail prior to version 7.8.0.2 allows remote attackers to inject arbitrary web script or HTML within the body of an email via an IMG element with both single quotes and double quotes.","Type":"Description","Title":null},{"CveYear":"2017","CveId":"11617","Ordinal":"2","NoteData":"2017-07-25","Type":"Other","Title":"Published"}]}}}