CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2021-42103 – Trend Micro Apex One Uncontrolled Search Path Element Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2021-42103
An uncontrolled search path element vulnerabilities in Trend Micro Apex One and Apex One as a Service could allow a local attacker to escalate privileges on affected installations. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This vulnerability is similar but not identical to CVE-2021-42101. Una vulnerabilidad de elemento de ruta de búsqueda no controlada en Trend Micro Apex One y Apex One as a Service podría permitir a un atacante local escalar privilegios en las instalaciones afectadas. Un atacante debe obtener primero la capacidad de ejecutar código con pocos privilegios en el sistema de destino para poder explotar esta vulnerabilidad. • https://success.trendmicro.com/solution/000289229 https://www.zerodayinitiative.com/advisories/ZDI-21-1213 • CWE-427: Uncontrolled Search Path Element •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2021-3848
https://notcve.org/view.php?id=CVE-2021-3848
An arbitrary file creation by privilege escalation vulnerability in Trend Micro Apex One, Apex One as a Service, Worry-Free Business Security 10.0 SP1, and Worry-Free Business Security Services could allow a local attacker to create an arbitrary file with higher privileges that could lead to a denial-of-service (DoS) on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. Una vulnerabilidad de creación de archivos arbitrarios por escalada de privilegios en Trend Micro Apex One, Apex One as a Service, Worry-Free Business Security versión 10.0 SP1 y Worry-Free Business Security Services podría permitir a un atacante local crear un archivo arbitrario con privilegios superiores que podría conllevar a una denegación de servicio (DoS) en las instalaciones afectadas. Nota: un atacante debe obtener primero la capacidad de ejecutar código con privilegios bajos en el sistema de destino para poder explotar esta vulnerabilidad • https://success.trendmicro.com/solution/000289183 •
CVSS: 10.0EPSS: 1%CPEs: 5EXPL: 0CVE-2021-36745 – Trend Micro ServerProtect Authentication Bypass Vulnerability
https://notcve.org/view.php?id=CVE-2021-36745
A vulnerability in Trend Micro ServerProtect for Storage 6.0, ServerProtect for EMC Celerra 5.8, ServerProtect for Network Appliance Filers 5.8, and ServerProtect for Microsoft Windows / Novell Netware 5.8 could allow a remote attacker to bypass authentication on affected installations. Una vulnerabilidad en Trend Micro ServerProtect for Storage versión 6.0, ServerProtect for EMC Celerra versión 5.8, ServerProtect for Network Appliance Filers versión 5.8 y ServerProtect for Microsoft Windows / Novell Netware versión 5.8 podría permitir a un atacante remoto omitir la autenticación en las instalaciones afectadas This vulnerability allows remote attackers to bypass authentication on affected installations of Trend Micro ServerProtect. Authentication is not required to exploit this vulnerability. The specific flaw exists within the ServerProtect console. The issue results from the lack of proper validation prior to authentication. An attacker can leverage this vulnerability to bypass authentication on the system. • https://success.trendmicro.com/jp/solution/000289030 https://success.trendmicro.com/solution/000289038 https://www.zerodayinitiative.com/advisories/ZDI-21-1115 • CWE-425: Direct Request ('Forced Browsing') •
CVSS: 7.3EPSS: 0%CPEs: 2EXPL: 0CVE-2021-32466 – Trend Micro HouseCall for Home Networks Uncontrolled Search Path Element Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2021-32466
An uncontrolled search path element privilege escalation vulnerability in Trend Micro HouseCall for Home Networks version 5.3.1225 and below could allow an attacker to escalate privileges by placing a custom crafted file in a specific directory to load a malicious library. Please note that an attacker must first obtain the ability to execute low-privileged code on the target system to exploit this vulnerability. Una vulnerabilidad de escalada de privilegios de elementos de búsqueda no controlada en Trend Micro HouseCall for Home Networks versión 5.3.1225 y por debajo, podría permitir a un atacante escalar privilegios al colocar un archivo diseñado a medida en un directorio específico para cargar una biblioteca maliciosa. Tenga en cuenta que un atacante debe obtener primero la capacidad de ejecutar código con pocos privilegios en el sistema de destino para explotar esta vulnerabilidad This vulnerability allows local attackers to escalate privileges on affected installations of Trend Micro HouseCall for Home Networks. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the configuration of OpenSSL. • https://helpcenter.trendmicro.com/en-us/article/tmka-10626 https://helpcenter.trendmicro.com/ja-jp/article/TMKA-10621 https://www.zerodayinitiative.com/advisories/ZDI-21-1112 • CWE-427: Uncontrolled Search Path Element •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2021-36744 – Trend Micro Maximum Security Directory Junction Denial-of-Service Vulnerability
https://notcve.org/view.php?id=CVE-2021-36744
Trend Micro Security (Consumer) 2021 and 2020 are vulnerable to a directory junction vulnerability which could allow an attacker to exploit the system to escalate privileges and create a denial of service. Trend Micro Security (Consumer) versiones 2021 y 2020, son vulnerables a una vulnerabilidad de salto de directorios que podría permitir a un atacante explotar el sistema para escalar privilegios y crear una denegación de servicio. This vulnerability allows local attackers to create a denial-of-service condition on affected installations of Trend Micro Maximum Security. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the Maximum Security Agent. By creating a directory junction, an attacker can abuse the service to delete a file. • https://helpcenter.trendmicro.com/en-us/article/tmka-10568 https://www.zerodayinitiative.com/advisories/ZDI-21-1052 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •