PatchSiren

PatchSiren cyber security CVE debrief

CVE-2017-3890 Blackberry CVE debrief

CVE-2017-3890 is a reflected cross-site scripting (XSS) vulnerability in BlackBerry WatchDox Server components. According to the NVD record, it affects Appliance-X version 1.8.1 and earlier, and vAPP versions 4.6.0 through 5.4.1. A remote attacker can induce a user to click a malicious link, causing script to run in the context of the affected browser.

Vendor
Blackberry
Product
CVE-2017-3890
CVSS
MEDIUM 6.1
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-13
Original CVE updated
2026-05-13
Advisory published
2017-01-13
Advisory updated
2026-05-13

Who should care

Administrators and security teams running BlackBerry WatchDox Server Appliance-X or Workspaces vAPP in the affected version ranges should treat this as relevant, especially where users can be sent links to the application and browser-based access is common.

Technical summary

The NVD classifies the issue as CWE-79 and rates it with CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. That means the vulnerability is network-reachable, requires no privileges, depends on user interaction, and can impact confidentiality and integrity at the browser/session level due to reflected script execution. The supplied record lists vulnerable CPEs for BlackBerry appliance-x up to 1.8.1 and workspaces_vapp 4.6.0 and 5.4.1.

Defensive priority

Medium. The attack requires user interaction, but the browser-side impact and scope change make malicious-link abuse a practical concern for exposed user-facing deployments.

Recommended defensive actions

  • Review the BlackBerry vendor advisory referenced in the NVD record for product-specific remediation guidance.
  • Inventory Appliance-X and Workspaces vAPP deployments and confirm whether any instance is within the affected version ranges.
  • Restrict access to affected interfaces where possible and treat unsolicited links to the application as suspicious.
  • Validate that application responses properly encode reflected input and that any available vendor fix or upgrade path is applied.
  • Monitor for anomalous browser-side behavior, unexpected redirects, or session abuse that could indicate XSS exploitation attempts.

Evidence notes

The supplied NVD metadata marks the vulnerability as modified and provides the affected CPE criteria, CVSS vector, and CWE-79 classification. References in the record include the BlackBerry vendor advisory (articleNumber=000038915) and a SecurityFocus BID entry (95442). The CVE was published on 2017-01-13; the later 2026-05-13 modification timestamp is metadata update timing, not the original disclosure date.

Official resources

Publicly disclosed in the CVE/NVD records on 2017-01-13. The supplied source metadata shows a later modification on 2026-05-13, which should not be treated as the original disclosure date.