CVE: Common Vulnerabilities and Exposures

Required CVE Record Information

Description

ExpressionEngine version 2.x < 2.11.8 and version 3.x < 3.5.5 create an object signing token with weak entropy. Successfully guessing the token can lead to remote code execution.

CWE 1 Total

Learn more

CWE-330: Use of Insufficiently Random Values (CWE-330)

Product Status

Learn more

Versions 1 Total

Default Status: unknown

affected

References 5 Total

securityfocus.com: 99242
external site
vdb-entry
https://docs.expressionengine.com/v2/about/changelog.html#version-2-11-8
external site
https://hackerone.com/reports/215890
external site
https://docs.expressionengine.com/latest/about/changelog.html#version-3-5-5
external site
https://expressionengine.com/blog/expressionengine-3.5.5-and-2.11.8-released
external site

Updated: 2024-08-05

This container includes required additional information provided by the CVE Program for this vulnerability.

References 5 Total

securityfocus.com: 99242
external site
vdb-entryx_transferred
https://docs.expressionengine.com/v2/about/changelog.html#version-2-11-8
external site
x_transferred
https://hackerone.com/reports/215890
external site
x_transferred
https://docs.expressionengine.com/latest/about/changelog.html#version-3-5-5
external site
x_transferred
https://expressionengine.com/blog/expressionengine-3.5.5-and-2.11.8-released
external site
x_transferred

Common vulnerabilities and Exposures (CVE)

Required CVE Record Information

CNA: HackerOne

Description

CWE 1 Total

Product Status

References 5 Total

CVE Program

References 5 Total