PHP file inclusion in Trend Micro Mobile Security for Enterprise - CVE-2023-32528
Published: May 13, 2023 / Updated: May 14, 2023
Vulnerability identifier: #VU76097
CSH Severity: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2023-32528
CWE-ID: CWE-98
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Trend Micro Mobile Security for Enterprise
Trend Micro Mobile Security for Enterprise
Software vendor:
Trend Micro
Trend Micro
Description
The vulnerability allows a remote user to include and execute arbitrary PHP files on the server.
The vulnerability exists due to incorrect input validation when including PHP files within the getWidgetPoolManager function defined in the web/widgetforsecurity path. A remote user can send a specially crafted HTTP request to the affected application, include and execute arbitrary PHP code on the system with privileges of the web server.
Remediation
Install updates from vendor's website.