Code injection in InterScan Web Security Virtual Appliance (IWSVA) - #VU6847

 

Code injection in InterScan Web Security Virtual Appliance (IWSVA) - #VU6847

Published: May 31, 2017 / Updated: May 31, 2017


Vulnerability identifier: #VU6847
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: N/A
CWE-ID: CWE-94
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Trend Micro
Affected software:
InterScan Web Security Virtual Appliance (IWSVA)

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to improper input validation by web service. A remote attacker can use specially crafted parameters to implement remote code injections and execute arbitrary code.

Successful exploitation of the vulnerability may result in system compromise.

Remediation

Update to version 6.5 SP2 HF 1755.

Sources