PHP file inclusion in Trend Micro Mobile Security for Enterprise - CVE-2023-32527

 

PHP file inclusion in Trend Micro Mobile Security for Enterprise - CVE-2023-32527

Published: May 13, 2023 / Updated: May 14, 2023


Vulnerability identifier: #VU76096
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2023-32527
CWE-ID: CWE-98
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Trend Micro
Affected software:
Trend Micro Mobile Security for Enterprise

Detailed vulnerability description

The vulnerability allows a remote user to include and execute arbitrary PHP files on the server.

The vulnerability exists due to incorrect input validation when including PHP files within the getWidgetPoolManager function defined in the web/widget path. A remote user can send a specially crafted HTTP request to the affected application, include and execute arbitrary PHP code on the system with privileges of the web server.


How to mitigate CVE-2023-32527

Install updates from vendor's website.

Sources