CVSS: 6.5EPSS: 2%CPEs: 1EXPL: 3CVE-2017-6339 – Trend Micro InterScan Web Security Virtual Appliance (IWSVA) 6.5 SP2 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2017-6339
05 Apr 2017 — Trend Micro InterScan Web Security Virtual Appliance (IWSVA) 6.5 before CP 1746 mismanages certain key and certificate data. Per IWSVA documentation, by default, IWSVA acts as a private Certificate Authority (CA) and dynamically generates digital certificates that are sent to client browsers to complete a secure passage for HTTPS connections. It also allows administrators to upload their own certificates signed by a root CA. An attacker with low privileges can download the current CA certificate and Private... • https://packetstorm.news/files/id/142552 • CWE-269: Improper Privilege Management CWE-521: Weak Password Requirements •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 3CVE-2017-6340 – Trend Micro InterScan Web Security Virtual Appliance (IWSVA) 6.5 SP2 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2017-6340
05 Apr 2017 — Trend Micro InterScan Web Security Virtual Appliance (IWSVA) 6.5 before CP 1746 does not sanitize a rest/commonlog/report/template name field, which allows a 'Reports Only' user to inject malicious JavaScript while creating a new report. Additionally, IWSVA implements incorrect access control that allows any authenticated, remote user (even with low privileges like 'Auditor') to create or modify reports, and consequently take advantage of this XSS vulnerability. The JavaScript is executed when victims visit... • https://packetstorm.news/files/id/142552 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.9EPSS: 6%CPEs: 1EXPL: 1CVE-2016-9269 – Trend Micro InterScan Web Security Virtual Appliance (IWSVA) 6.5 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2016-9269
21 Feb 2017 — Remote Command Execution in com.trend.iwss.gui.servlet.ManagePatches in Trend Micro Interscan Web Security Virtual Appliance (IWSVA) version 6.5-SP2_Build_Linux_1707 and earlier allows authenticated, remote users with least privileges to run arbitrary commands on the system as root via Patch Update functionality. This was resolved in Version 6.5 CP 1737. Ejecución de comandos remota en com.trend.iwss.gui.servlet.ManagePatches en Trend Micro Interscan Web Security Virtual Appliance (IWSVA) versión 6.5-SP2_Bu... • https://www.exploit-db.com/exploits/41361 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.8EPSS: 1%CPEs: 1EXPL: 1CVE-2016-9314 – Trend Micro InterScan Web Security Virtual Appliance (IWSVA) 6.5 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2016-9314
21 Feb 2017 — Sensitive Information Disclosure in com.trend.iwss.gui.servlet.ConfigBackup in Trend Micro InterScan Web Security Virtual Appliance (IWSVA) version 6.5-SP2_Build_Linux_1707 and earlier allows authenticated, remote users with least privileges to backup the system configuration and download it onto their local machine. This backup file contains sensitive information like passwd/shadow files, RSA certificates, Private Keys and Default Passphrase, etc. This was resolved in Version 6.5 CP 1737. Divulgación de in... • https://www.exploit-db.com/exploits/41361 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2016-9316 – Trend Micro InterScan Web Security Virtual Appliance (IWSVA) 6.5 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2016-9316
21 Feb 2017 — Multiple stored Cross-Site-Scripting (XSS) vulnerabilities in com.trend.iwss.gui.servlet.updateaccountadministration in Trend Micro InterScan Web Security Virtual Appliance (IWSVA) version 6.5-SP2_Build_Linux_1707 and earlier allow authenticated, remote users with least privileges to inject arbitrary HTML/JavaScript code into web pages. This was resolved in Version 6.5 CP 1737. Múltiples vulnerabilidades de XSS almacenadas en com.trend.iwss.gui.servlet.updateaccountadministration en Trend Micro InterScan We... • https://www.exploit-db.com/exploits/41361 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 5%CPEs: 1EXPL: 2CVE-2016-9315 – Trend Micro InterScan Web Security Virtual Appliance (IWSVA) 6.5 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2016-9315
16 Feb 2017 — Privilege Escalation Vulnerability in com.trend.iwss.gui.servlet.updateaccountadministration in Trend Micro InterScan Web Security Virtual Appliance (IWSVA) version 6.5-SP2_Build_Linux_1707 and earlier allows authenticated, remote users with least privileges to change Master Admin's password and/or add new admin accounts. This was resolved in Version 6.5 CP 1737. Vulnerabilidad de escalada de privilegios en com.trend.iwss.gui.servlet.updateaccountadministration en Trend Micro InterScan Web Security Virtual ... • https://packetstorm.news/files/id/141127 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2014-8510 – Trend Micro InterScan Web Security Virtual Appliance Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2014-8510
06 Nov 2014 — The AdminUI in Trend Micro InterScan Web Security Virtual Appliance (IWSVA) before 6.0 HF build 1244 allows remote authenticated users to read arbitrary files via vectors related to configuration input when saving filters. La interfaz de usuarios de administración en Trend Micro InterScan Web Security Virtual Appliance (IWSVA) anterior a 6.0 HF build 1244 permite a usuarios remotos autenticados leer ficheros arbitrarios a través de vectores relacionados con entradas de configuraciones cuando se guardan filt... • http://www.zerodayinitiative.com/advisories/ZDI-14-373 • CWE-20: Improper Input Validation •
CVSS: 7.1EPSS: 0%CPEs: 3EXPL: 0CVE-2009-0612
https://notcve.org/view.php?id=CVE-2009-0612
17 Feb 2009 — Trend Micro InterScan Web Security Virtual Appliance (IWSVA) 3.x and InterScan Web Security Suite (IWSS) 3.x, when basic authorization is enabled on the standalone proxy, forwards the Proxy-Authorization header from Windows Media Player, which allows remote web servers to obtain credentials by offering a media stream and then capturing this header. Trend Micro InterScan Web Security Virtual Appliance (IWSVA) v3.x e InterScan Web Security Suite (IWSS) v3.x, cuando la autorización básica está habilitada sobre... • http://secunia.com/advisories/33891 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •