#VU38605 Input validation error in OfficeScan - CVE-2017-11393
Published: August 3, 2017 / Updated: August 8, 2020
Vulnerability identifier: #VU38605
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2017-11393
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
OfficeScan
OfficeScan
Software vendor:
Trend Micro
Trend Micro
Description
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
Proxy command injection vulnerability in Trend Micro OfficeScan 11 and XG (12) allows remote attackers to execute arbitrary code on vulnerable installations. The specific flaw can be exploited by parsing the tr parameter within Proxy.php. Formerly ZDI-CAN-4543.
Remediation
Install update from vendor's website.