CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 2CVE-2018-6226 – Trend Micro Email Encryption Gateway 5.5 (Build 1111.00) - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2018-6226
Reflected cross-site scripting (XSS) vulnerabilities in two Trend Micro Email Encryption Gateway 5.5 configuration files could allow an attacker to inject client-side scripts into vulnerable systems. Vulnerabilidades Cross-Site Scripting (XSS) reflejado en dos archivos de configuración de Trend Micro Email Encryption Gateway 5.5 podría permitir que un atacante inyecte scripts del lado del cliente en sistemas vulnerables. Trend Micro Email Encryption Gateway suffers from cleartext transmission of sensitive information, missing authentication, cross site request forgery, cross site scripting, and various other vulnerabilities. • https://www.exploit-db.com/exploits/44166 https://success.trendmicro.com/solution/1119349 https://www.coresecurity.com/advisories/trend-micro-email-encryption-gateway-multiple-vulnerabilities • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 2CVE-2018-6223 – Trend Micro Encryption for Email Gateway Registration Authentication Bypass Vulnerability
https://notcve.org/view.php?id=CVE-2018-6223
A missing authentication for appliance registration vulnerability in Trend Micro Email Encryption Gateway 5.5 could allow an attacker to manipulate the registration process of the product to reset configuration parameters. Una vulnerabilidad de falta de autenticación para el registro de dispositivos en Trend Micro Email Encryption Gateway 5.5 podría permitir que un atacante manipule el proceso de registro del producto para reiniciar los parámetros de configuración. This vulnerability allows remote attackers to reset the Administrator password on vulnerable installations of Trend Micro Encryption for Email Gateway. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the product registration process. The issue results from the lack of validating the product registration status prior to performing product registration. • https://www.exploit-db.com/exploits/44166 https://success.trendmicro.com/solution/1119349 https://www.coresecurity.com/advisories/trend-micro-email-encryption-gateway-multiple-vulnerabilities • CWE-306: Missing Authentication for Critical Function •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 2CVE-2018-6230 – Trend Micro Encryption for Email Gateway emailSearch SearchString SQL Injection Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2018-6230
A SQL injection vulnerability in an Trend Micro Email Encryption Gateway 5.5 search configuration script could allow an attacker to execute SQL commands to upload and execute arbitrary code that may harm the target system. Una vulnerabilidad de inyección SQL en un script de búsqueda de configuraciones de Trend Micro Email Encryption Gateway 5.5 podría permitir que un atacante ejecute comandos SQL para subir y ejecutar código arbitrario que pudiera comprometer el sistema objetivo. This vulnerability allows remote attackers to execute arbitrary SQL statements on vulnerable installations of Trend Micro Encryption for Email Gateway. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the wsEmailSearch class. When parsing the SearchString parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. • https://www.exploit-db.com/exploits/44166 https://success.trendmicro.com/solution/1119349 https://www.coresecurity.com/advisories/trend-micro-email-encryption-gateway-multiple-vulnerabilities • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2016-4351 – Trend Micro Mail Encryption Gateway SQL Injection Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2016-4351
SQL injection vulnerability in the authentication functionality in Trend Micro Email Encryption Gateway (TMEEG) 5.5 before build 1107 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. Vulnerabilidad de inyección SQL en la funcionalidad de autenticación en Trend Micro Email Encryption Gateway (TMEEG) 5.5 en versiones anteriores a build 1107 permite a atacantes remotos ejecutar comandos SQL arbitrarios a través de vectores no especificados. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Trend Micro Email Encryption Gateway. Authentication is not required to exploit this vulnerability. The specific flaw exists within the authentication functionality. The issue lies in the failure to sanitize user-supplied input prior to executing a SQL statement. • http://www.zerodayinitiative.com/advisories/ZDI-16-248 https://esupport.trendmicro.com/solution/en-US/1114060.aspx • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •