Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2017-9371

Summary
Assigner-blackberry
Assigner Org ID-dbe78b00-5e7b-4fda-8748-329789ecfc5c
Published At-14 Nov, 2017 | 21:00
Updated At-22 Aug, 2025 | 15:05
Rejected At-
Credits

In BlackBerry QNX Software Development Platform (SDP) 6.6.0 and 6.5.0 SP1 and earlier, a loss of integrity vulnerability in the default configuration of the QNX SDP could allow an attacker being able to reduce the entropy of the PRNG, making other blended attacks more practical by gaining control over environmental factors that influence seed generation.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:blackberry
Assigner Org ID:dbe78b00-5e7b-4fda-8748-329789ecfc5c
Published At:14 Nov, 2017 | 21:00
Updated At:22 Aug, 2025 | 15:05
Rejected At:
▼CVE Numbering Authority (CNA)

In BlackBerry QNX Software Development Platform (SDP) 6.6.0 and 6.5.0 SP1 and earlier, a loss of integrity vulnerability in the default configuration of the QNX SDP could allow an attacker being able to reduce the entropy of the PRNG, making other blended attacks more practical by gaining control over environmental factors that influence seed generation.

Affected Products
Vendor
BlackBerry LimitedBlackBerry
Product
QNX Software Development Platform (QNX SDP)
Default Status
unaffected
Versions
Affected
  • 6.6.0
  • 6.5.0 SP1 and earlier
Problem Types
TypeCWE IDDescription
N/AN/ALoss of integrity vulnerability
CWECWE-332CWE-332 Insufficient Entropy in PRNG
Type: N/A
CWE ID: N/A
Description: Loss of integrity vulnerability
Type: CWE
CWE ID: CWE-332
Description: CWE-332 Insufficient Entropy in PRNG
Metrics
VersionBase scoreBase severityVector
3.12.6LOW
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
Version: 3.1
Base score: 2.6
Base severity: LOW
Vector:
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-554CAPEC-554 Functionality Bypass
CAPEC ID: CAPEC-554
Description: CAPEC-554 Functionality Bypass
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber=000046674
x_refsource_CONFIRM
Hyperlink: http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber=000046674
Resource:
x_refsource_CONFIRM
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber=000046674
x_refsource_CONFIRM
x_transferred
Hyperlink: http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber=000046674
Resource:
x_refsource_CONFIRM
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:secure@blackberry.com
Published At:14 Nov, 2017 | 21:29
Updated At:22 Aug, 2025 | 15:15

In BlackBerry QNX Software Development Platform (SDP) 6.6.0 and 6.5.0 SP1 and earlier, a loss of integrity vulnerability in the default configuration of the QNX SDP could allow an attacker being able to reduce the entropy of the PRNG, making other blended attacks more practical by gaining control over environmental factors that influence seed generation.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.12.6LOW
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
Primary3.05.9MEDIUM
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Primary2.04.3MEDIUM
AV:N/AC:M/Au:N/C:N/I:P/A:N
Type: Secondary
Version: 3.1
Base score: 2.6
Base severity: LOW
Vector:
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
Type: Primary
Version: 3.0
Base score: 5.9
Base severity: MEDIUM
Vector:
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Type: Primary
Version: 2.0
Base score: 4.3
Base severity: MEDIUM
Vector:
AV:N/AC:M/Au:N/C:N/I:P/A:N
CPE Matches
BlackBerry Limited
blackberry
>>qnx_software_development_platform>>6.5.0
cpe:2.3:a:blackberry:qnx_software_development_platform:6.5.0:*:*:*:*:*:*:*
BlackBerry Limited
blackberry
>>qnx_software_development_platform>>6.5.0
cpe:2.3:a:blackberry:qnx_software_development_platform:6.5.0:sp1:*:*:*:*:*:*
BlackBerry Limited
blackberry
>>qnx_software_development_platform>>6.6.0
cpe:2.3:a:blackberry:qnx_software_development_platform:6.6.0:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-332Secondarysecure@blackberry.com
CWE-332Primarynvd@nist.gov
CWE ID: CWE-332
Type: Secondary
Source: secure@blackberry.com
CWE ID: CWE-332
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber=000046674secure@blackberry.com
Vendor Advisory
http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber=000046674af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
Hyperlink: http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber=000046674
Source: secure@blackberry.com
Resource:
Vendor Advisory
Hyperlink: http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber=000046674
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

11Records found
CVE-2017-3894
Matching Score-8
Assigner-BlackBerry
ShareView Details
Matching Score-8
Assigner-BlackBerry
CVSS Score-6.1||MEDIUM
EPSS-0.36% / 57.14%
||
7 Day CHG~0.00%
Published-10 May, 2017 | 16:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A stored cross site scripting vulnerability in the Management Console of BlackBerry Unified Endpoint Manager version 12.6.1 and earlier, and all versions of BES12, allows attackers to execute actions in the context of a Management Console administrator by uploading a malicious script and then persuading a target administrator to view the specific location of the malicious script within the Management Console.

Action-Not Available
Vendor-BlackBerry Limited
Product-enterprise_serviceunified_endpoint_managerUnified Endpoint ManagerBES12
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2017-3890
Matching Score-8
Assigner-BlackBerry
ShareView Details
Matching Score-8
Assigner-BlackBerry
CVSS Score-6.1||MEDIUM
EPSS-0.29% / 52.12%
||
7 Day CHG~0.00%
Published-13 Jan, 2017 | 09:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A reflected cross-site scripting vulnerability in the BlackBerry WatchDox Server components Appliance-X, version 1.8.1 and earlier, and vAPP, versions 4.6.0 to 5.4.1, allows remote attackers to execute script commands in the context of the affected browser by persuading a user to click an attacker-supplied malicious link.

Action-Not Available
Vendor-n/aBlackBerry Limited
Product-workspaces_vappappliance-xBlackBerry WatchDox Server
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2017-17442
Matching Score-8
Assigner-BlackBerry
ShareView Details
Matching Score-8
Assigner-BlackBerry
CVSS Score-6.1||MEDIUM
EPSS-0.31% / 53.87%
||
7 Day CHG~0.00%
Published-13 Mar, 2018 | 18:00
Updated-17 Sep, 2024 | 03:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In BlackBerry UEM Management Console version 12.7.1 and earlier, a reflected cross-site scripting vulnerability that could allow an attacker to execute script commands in the context of the affected UEM Management Console account by crafting a malicious link and then persuading a user with legitimate access to the Management Console to click on the malicious link.

Action-Not Available
Vendor-BlackBerry Limited
Product-unified_endpoint_managerUEM Management Console
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-8892
Matching Score-8
Assigner-BlackBerry
ShareView Details
Matching Score-8
Assigner-BlackBerry
CVSS Score-6.5||MEDIUM
EPSS-0.11% / 30.44%
||
7 Day CHG~0.00%
Published-20 Dec, 2018 | 20:00
Updated-05 Aug, 2024 | 07:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site request forgery (CSRF) vulnerability in the Management Console of BlackBerry UEM versions earlier than 12.9.1 could allow an attacker to make modifications to the UEM settings in the context of a Management Console administrator.

Action-Not Available
Vendor-BlackBerry Limited
Product-unified_endpoint_managerBlackBerry UEM
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2020-36486
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.24% / 47.16%
||
7 Day CHG~0.00%
Published-22 Oct, 2021 | 19:20
Updated-04 Aug, 2024 | 17:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Swift File Transfer Mobile v1.1.2 and below was discovered to contain a cross-site scripting (XSS) vulnerability via the 'path' parameter of the 'list' and 'download' exception-handling.

Action-Not Available
Vendor-swiftfiletransfern/aBlackBerry LimitedApple Inc.Google LLC
Product-androidiphone_osblackberry_osswift_file_transfern/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2016-3126
Matching Score-8
Assigner-BlackBerry
ShareView Details
Matching Score-8
Assigner-BlackBerry
CVSS Score-6.1||MEDIUM
EPSS-0.25% / 48.21%
||
7 Day CHG~0.00%
Published-22 Apr, 2016 | 18:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the Management Console in BlackBerry Enterprise Server (BES) 12 before 12.4.1 allows remote attackers to inject arbitrary web script or HTML via a crafted URL.

Action-Not Available
Vendor-n/aBlackBerry Limited
Product-enterprise_servern/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2016-1915
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-7.25% / 91.25%
||
7 Day CHG-1.07%
Published-13 Apr, 2017 | 14:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site scripting (XSS) vulnerabilities in BlackBerry Enterprise Server 12 (BES12) Self-Service before 12.4 allow remote attackers to inject arbitrary web script or HTML via the locale parameter to (1) mydevice/index.jsp or (2) mydevice/loggedOut.jsp.

Action-Not Available
Vendor-n/aBlackBerry Limited
Product-blackberry_enterprise_servicen/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2016-1918
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.25% / 48.21%
||
7 Day CHG~0.00%
Published-22 Apr, 2016 | 18:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the Management Console in BlackBerry Enterprise Server (BES) 12 before 12.4.1 allows remote attackers to inject arbitrary web script or HTML via a crafted URL, a different vulnerability than CVE-2016-1917.

Action-Not Available
Vendor-n/aBlackBerry Limited
Product-enterprise_servern/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2016-1917
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.25% / 48.21%
||
7 Day CHG~0.00%
Published-22 Apr, 2016 | 18:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the Management Console in BlackBerry Enterprise Server (BES) 12 before 12.4.1 allows remote attackers to inject arbitrary web script or HTML via a crafted URL, a different vulnerability than CVE-2016-1918.

Action-Not Available
Vendor-n/aBlackBerry Limited
Product-enterprise_servern/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2015-4112
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.22% / 44.28%
||
7 Day CHG~0.00%
Published-19 Nov, 2015 | 11:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Management Console in BlackBerry Enterprise Server (BES) 12 before 12.2 does not properly restrict use of FRAME elements, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web site, related to a "cross frame scripting" issue.

Action-Not Available
Vendor-n/aBlackBerry Limited
Product-enterprise_servern/a
CVE-2014-6611
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.26% / 48.66%
||
7 Day CHG~0.00%
Published-25 Oct, 2014 | 10:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The BlackBerry World app before 5.0.0.262 on BlackBerry 10 OS 10.2.0, before 5.0.0.263 on BlackBerry 10 OS 10.2.1, and before 5.1.0.53 on BlackBerry 10 OS 10.3.0 does not properly validate download/update requests, which allows user-assisted man-in-the-middle attackers to spoof servers and trigger the download of a crafted app by modifying the client-server data stream.

Action-Not Available
Vendor-n/aBlackBerry Limited
Product-blackberry_osblackberry_worldn/a
CWE ID-CWE-20
Improper Input Validation
Details not found