Show vulnerabilities with patch / with exploit

Multiple vulnerabilities in Trend Micro InterScan Web Security Virtual Appliance



Published: 2017-05-31
Severity High
Patch available YES
Number of vulnerabilities 1
CVE ID N/A
CWE ID CWE-94
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
InterScan Web Security Virtual Appliance
Server applications / Server solutions for antivurus protection

Vendor Trend Micro

Security Advisory

This security advisory describes one high risk vulnerability.

1) Code injection

Severity: High

CVSSv3: 8.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: N/A

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to improper input validation by web service. A remote attacker can use specially crafted parameters to implement remote code injections and execute arbitrary code.

Successful exploitation of the vulnerability may result in system compromise.

Mitigation

Update to version 6.5 SP2 HF 1755.

Vulnerable software versions

InterScan Web Security Virtual Appliance: 6.5

CPE External links

https://success.trendmicro.com/solution/1117412

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.