CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-32526 – Trend Micro Mobile Security for Enterprises widgetforsecurity set_certificates_config Unrestricted File Upload Vulnerability
https://notcve.org/view.php?id=CVE-2023-32526
Trend Micro Mobile Security (Enterprise) 9.8 SP5 contains widget vulnerabilities that could allow a remote attacker to create arbitrary files on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This is similar to, but not identical to CVE-2023-32525. This vulnerability allows remote attackers to create arbitrary files on affected installations of Trend Micro Mobile Security for Enterprises. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the set_certificates_config action defined within the web/widgetforsecurity path. The issue results from the lack of proper validation of user-supplied data, which can allow the upload of arbitrary files. • https://success.trendmicro.com/dcx/s/solution/000293106?language=en_US https://www.zerodayinitiative.com/advisories/ZDI-23-586 •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-32525 – Trend Micro Mobile Security for Enterprises widget set_certificates_config Unrestricted File Upload Vulnerability
https://notcve.org/view.php?id=CVE-2023-32525
Trend Micro Mobile Security (Enterprise) 9.8 SP5 contains widget vulnerabilities that could allow a remote attacker to create arbitrary files on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This is similar to, but not identical to CVE-2023-32526. This vulnerability allows remote attackers to create arbitrary files on affected installations of Trend Micro Mobile Security for Enterprises. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the set_certificates_config action defined within the web/widget path. The issue results from the lack of proper validation of user-supplied data, which can allow the upload of arbitrary files. • https://success.trendmicro.com/dcx/s/solution/000293106?language=en_US https://www.zerodayinitiative.com/advisories/ZDI-23-589 •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-40980
https://notcve.org/view.php?id=CVE-2022-40980
A potential unathenticated file deletion vulnerabilty on Trend Micro Mobile Security for Enterprise 9.8 SP5 could allow an attacker with access to the Management Server to delete files. This issue was resolved in 9.8 SP5 Critical Patch 2. Una posible vulnerabilidad de eliminación de archivos sin autenticación en Trend Micro Mobile Security for Enterprise versión 9.8 SP5, podría permitir a un atacante con acceso al servidor de administración eliminar archivos. Este problema ha sido resuelto en versión 9.8 SP5 Critical Patch 2 • https://files.trendmicro.com/documentation/readme/tmms_sp5_cp2/tmms-ee_9.8_sp5_patch2_readme_server.txt •
CVSS: 7.5EPSS: 0%CPEs: 8EXPL: 0CVE-2020-10193
https://notcve.org/view.php?id=CVE-2020-10193
ESET Archive Support Module before 1294 allows virus-detection bypass via crafted RAR Compression Information in an archive. This affects versions before 1294 of Smart Security Premium, Internet Security, NOD32 Antivirus, Cyber Security Pro (macOS), Cyber Security (macOS), Mobile Security for Android, Smart TV Security, and NOD32 Antivirus 4 for Linux Desktop. ESET Archive Support Module versiones anteriores a 1294, permite una omisión de detección de virus por medio de una Información de Compresión RAR en un archivo. Esto afecta a las versiones anteriores a 1294 de Smart Security Premium, Internet Security, NOD32 Antivirus, Cyber Security Pro (macOS), Cyber Security (macOS), Mobile Security para Android, Smart TV Security, y NOD32 Antivirus 4 para Linux Desktop. • https://blog.zoller.lu/p/from-low-hanging-fruit-department_13.html • CWE-436: Interpretation Conflict •
CVSS: 9.8EPSS: 0%CPEs: 8EXPL: 0CVE-2020-10180
https://notcve.org/view.php?id=CVE-2020-10180
The ESET AV parsing engine allows virus-detection bypass via a crafted BZ2 Checksum field in an archive. This affects versions before 1294 of Smart Security Premium, Internet Security, NOD32 Antivirus, Cyber Security Pro (macOS), Cyber Security (macOS), Mobile Security for Android, Smart TV Security, and NOD32 Antivirus 4 for Linux Desktop. El motor de análisis de ESET AV, permite omitir la detección de virus por medio de un campo BZ2 Checksum diseñado en un archivo. Esto afecta a las versiones anteriores a 1294 de Smart Security Premium, Internet Security, NOD32 Antivirus, Cyber Security Pro (macOS), Cyber Security (macOS), Mobile Security for Android, Smart TV Security y NOD32 Antivirus 4 para Linux Desktop. • https://blog.zoller.lu/p/tzo-11-2020-eset-generic-malformed.html • CWE-436: Interpretation Conflict •