CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2016-1224
https://notcve.org/view.php?id=CVE-2016-1224
CRLF injection vulnerability in Trend Micro Worry-Free Business Security Service 5.x and Worry-Free Business Security 9.0 allows remote attackers to inject arbitrary HTTP headers and conduct cross-site scripting (XSS) attacks via unspecified vectors. Vulnerabilidad de inyección CRLF en Trend Micro Worry-Free Business Security Service 5.x y Worry-Free Business Security 9.0 permite a atacantes remotos inyectar cabeceras HTTP arbitrarias y llevar a cabo ataques XSS a través de vectores no especificados. • http://esupport.trendmicro.com/solution/ja-JP/1114102.aspx http://jvn.jp/en/jp/JVN48847535/index.html http://jvndb.jvn.jp/jvndb/JVNDB-2016-000089 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2016-1223
https://notcve.org/view.php?id=CVE-2016-1223
Directory traversal vulnerability in Trend Micro Office Scan 11.0, Worry-Free Business Security Service 5.x, and Worry-Free Business Security 9.0 allows remote attackers to read arbitrary files via unspecified vectors. Vulnerabilidad de salto de directorio en Trend Micro Office Scan 11.0, Worry-Free Business Security Service 5.x y Worry-Free Business Security 9.0 permite a atacantes remotos leer archivos arbitrarios a través de vectores no especificados. • http://esupport.trendmicro.com/solution/ja-JP/1114102.aspx http://jvn.jp/en/jp/JVN48847535/index.html http://jvndb.jvn.jp/jvndb/JVNDB-2016-000074 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 12%CPEs: 4EXPL: 0CVE-2008-2433
https://notcve.org/view.php?id=CVE-2008-2433
The web management console in Trend Micro OfficeScan 7.0 through 8.0, Worry-Free Business Security 5.0, and Client/Server/Messaging Suite 3.5 and 3.6 creates a random session token based only on the login time, which makes it easier for remote attackers to hijack sessions via brute-force attacks. NOTE: this can be leveraged for code execution through an unspecified "manipulation of the configuration." La consola de administración web en Trend Micro OfficeScan 7.0 hasta 8.0, Worry-Free Business Security 5.0, y Client/Server/Messaging Suite 3.5 y 3.6 crea una sesión de modo aleatorio basada sólo en el tiempo de acceso, lo cual hace más fácil para atacantes remotos secuestrar sesión a través de ataques de fuerza bruta. NOTA: esto puede ser aprovechado para la ejecución de código a través de una indeterminada "manipulación de la configuración". • http://secunia.com/advisories/31373 http://secunia.com/secunia_research/2008-31/advisory http://securityreason.com/securityalert/4191 http://www.securityfocus.com/archive/1/495670/100/0/threaded http://www.securityfocus.com/bid/30792 http://www.securitytracker.com/id?1020732 http://www.trendmicro.com/ftp/documentation/readme/OSCE_8.0_SP1_Win_EN_CriticalPatch_B2402_readme.txt http://www.trendmicro.com/ftp/documentation/readme/Readme_WFBS5%200_EN_CriticalPatch1404.txt http://www.vupen.com&#x • CWE-330: Use of Insufficiently Random Values •