CVSS: 7.8EPSS: 1%CPEs: 5EXPL: 1CVE-2018-6237
https://notcve.org/view.php?id=CVE-2018-6237
A vulnerability in Trend Micro Smart Protection Server (Standalone) 3.x could allow an unauthenticated remote attacker to manipulate the product to send a large number of specially crafted HTTP requests to potentially cause the file system to fill up, eventually causing a denial of service (DoS) situation. Una vulnerabilidad en Trend Micro Smart Protection Server (Standalone) 3.x podría permitir que un atacante remoto no autenticado manipule el producto para enviar un gran número de peticiones HTTP especialmente manipuladas para provocar que el sistema de archivos se llene, provocando finalmente una denegación de servicio (DoS). • https://success.trendmicro.com/solution/1119715 https://www.tenable.com/security/research/tra-2018-10 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 9.0EPSS: 0%CPEs: 5EXPL: 0CVE-2018-10350 – Trend Micro Smart Protection Server BWListMgmt SQL Injection Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2018-10350
A SQL injection remote code execution vulnerability in Trend Micro Smart Protection Server (Standalone) 3.x could allow a remote attacker to execute arbitrary code on vulnerable installations due to a flaw within the handling of parameters provided to wcs\_bwlists\_handler.php. Authentication is required in order to exploit this vulnerability. Una vulnerabilidad de ejecución remota de código por inyección SQL en Trend Micro Smart Protection Server (Standalone) 3.x podría permitir que un atacante remoto ejecute código arbitrario en instalaciones vulnerables debido a un error en la gestión de parámetros proporcionados a wcs\_bwlists\_handler.php. Se requiere autenticación para explotar esta vulnerabilidad. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Trend Micro Smart Protection Server. • https://success.trendmicro.com/solution/1119715 https://www.zerodayinitiative.com/advisories/ZDI-18-421 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2018-6231 – Trend Micro Smart Protection Server Auth Command Injection Authentication Bypass Vulnerability
https://notcve.org/view.php?id=CVE-2018-6231
A server auth command injection authentication bypass vulnerability in Trend Micro Smart Protection Server (Standalone) versions 3.3 and below could allow remote attackers to escalate privileges on vulnerable installations. Una vulnerabilidad de omisión de autenticación y de inyección de comandos auth del servidor en Trend Micro Smart Protection Server (Standalone) en versiones 3.3 y anteriores podría permitir que los atacantes remotos escalen privilegios en instalaciones vulnerables. This vulnerability allows remote attackers to escalate privileges on vulnerable installations of Trend Micro Smart Protection Server. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of credentials provided at login. When parsing the username, the process does not properly validate a user-supplied string before using it to execute a system call. • https://success.trendmicro.com/solution/1119385 https://www.zerodayinitiative.com/advisories/ZDI-18-218 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •