CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 0CVE-2021-25231 – Trend Micro Apex One Improper Access Control Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2021-25231
An improper access control vulnerability in Trend Micro Apex One (on-prem and SaaS), OfficeScan XG SP1, and Worry-Free Business Security 10.0 SP1 could allow an unauthenticated user to obtain information about a specific hotfix history file. Una vulnerabilidad de control de acceso inapropiado en Trend Micro Apex One (on premises y SaaS), OfficeScan XG SP1 y Worry-Free Business Security versión 10.0 SP1, podría permitir a un usuario no autenticado obtener información sobre un archivo del histórico de revisiones específico This vulnerability allows remote attackers to disclose sensitive information on affected installations of Trend Micro Apex One. Authentication is not required to exploit this vulnerability. The specific flaw exists within the web console, which listens on TCP port 4343 by default. The issue results from improper access control. An attacker can leverage this vulnerability to disclose information from the application. • https://success.trendmicro.com/solution/000284202 https://success.trendmicro.com/solution/000284205 https://success.trendmicro.com/solution/000284206 https://www.zerodayinitiative.com/advisories/ZDI-21-106 •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-27010
https://notcve.org/view.php?id=CVE-2020-27010
A cross-site scripting (XSS) vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 SP2 could allow an attacker to tamper with the web interface of the product in a manner separate from the similar CVE-2020-8462. Una vulnerabilidad de tipo cross-site scripting (XSS) en Trend Micro InterScan Web Security Virtual Appliance versión 6.5 SP2, podría permitir a un atacante manipular la interfaz web del producto de una manera diferente del CVE-2020-8462 similar • https://success.trendmicro.com/solution/000283077 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2020-8461 – Trend Micro IWSVA CSRF / XSS / Bypass / SSRF / Code Execution
https://notcve.org/view.php?id=CVE-2020-8461
A CSRF protection bypass vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 SP2 could allow an attacker to get a victim's browser to send a specifically encoded request without requiring a valid CSRF token. Una vulnerabilidad de omisión de protección CSRF en Trend Micro InterScan Web Security Virtual Appliance versión 6.5 SP2, podría permitir a un atacante conseguir que el navegador de la víctima envíe una petición codificada específicamente sin requerir un token CSRF válido Trend Micro InterScan Web Security Virtual Appliance (IWSVA) versions below 6.5 SP2 EN Patch 4 Build 1919 suffers from bypass, command execution, cross site request forgery, cross site scripting, and server-side request forgery vulnerabilities. • https://sec-consult.com/vulnerability-lab/advisory/multiple-critical-vulnerabilities-in-trend-micro-interscan-web-security-virtual-appliance https://success.trendmicro.com/solution/000283077 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2020-8464 – Trend Micro IWSVA CSRF / XSS / Bypass / SSRF / Code Execution
https://notcve.org/view.php?id=CVE-2020-8464
A vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 SP2 could allow an attacker to send requests that appear to come from the localhost which could expose the product's admin interface to users who would not normally have access. Una vulnerabilidad en Trend Micro InterScan Web Security Virtual Appliance versión 6.5 SP2, podría permitir a un atacante enviar peticiones que parecen provenir del host local, lo que podría exponer la interfaz de administración del producto a usuarios que normalmente no tendrían acceso Trend Micro InterScan Web Security Virtual Appliance (IWSVA) versions below 6.5 SP2 EN Patch 4 Build 1919 suffers from bypass, command execution, cross site request forgery, cross site scripting, and server-side request forgery vulnerabilities. • https://sec-consult.com/vulnerability-lab/advisory/multiple-critical-vulnerabilities-in-trend-micro-interscan-web-security-virtual-appliance https://success.trendmicro.com/solution/000283077 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2020-8462 – Trend Micro IWSVA CSRF / XSS / Bypass / SSRF / Code Execution
https://notcve.org/view.php?id=CVE-2020-8462
A cross-site scripting (XSS) vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 SP2 could allow an attacker to tamper with the web interface of the product. Una vulnerabilidad de tipo cross-site scripting (XSS) en Trend Micro InterScan Web Security Virtual Appliance versión 6.5 SP2, podría permitir a un atacante manipular a la interfaz web del producto Trend Micro InterScan Web Security Virtual Appliance (IWSVA) versions below 6.5 SP2 EN Patch 4 Build 1919 suffers from bypass, command execution, cross site request forgery, cross site scripting, and server-side request forgery vulnerabilities. • https://sec-consult.com/vulnerability-lab/advisory/multiple-critical-vulnerabilities-in-trend-micro-interscan-web-security-virtual-appliance https://success.trendmicro.com/solution/000283077 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •