CVSS: 7.5EPSS: 1%CPEs: 1EXPL: 0CVE-2017-14082 – Trend Micro Mobile Security for Enterprise clt_report_sms_status Uninitialized Pointer Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2017-14082
An uninitialized pointer information disclosure vulnerability in Trend Micro Mobile Security (Enterprise) versions 9.7 and below could allow an unauthenticated remote attacker to disclosure sensitive information on a vulnerable system. Una vulnerabilidad de divulgación de información de puntero no inicializado en Trend Micro Mobile Security (Enterprise) en versiones 9.7 y anteriores podría permitir que un atacante remoto no autenticado revele información sensible en un sistema vulnerable. This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Trend Micro Mobile Security for Enterprise. Authentication is not required to exploit this vulnerability. The specific flaw exists within processing of the clt_report_sms_status action. The issue results from the lack of proper initialization of a pointer prior to accessing it. • http://www.securityfocus.com/bid/102216 http://www.zerodayinitiative.com/advisories/ZDI-17-972 https://success.trendmicro.com/solution/1118993 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.8EPSS: 2%CPEs: 1EXPL: 0CVE-2017-14079 – Trend Micro Mobile Security for Enterprise upload_img_file Unrestricted File Upload Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2017-14079
Unrestricted file uploads in Trend Micro Mobile Security (Enterprise) versions before 9.7 Patch 3 allow remote attackers to execute arbitrary code on vulnerable installations. Las subidas de archivos sin restricción en las versiones anteriores a 9.7 Patch 3 de Trend Micro Mobile Security (Enterprise) permiten que atacantes remotos ejecuten código arbitrario en instalaciones vulnerables. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Trend Micro Mobile Security for Enterprise. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of the upload_img_file action. The issue results from the lack of proper validation of user-supplied data, which can allow for the upload of arbitrary files. • http://www.securityfocus.com/bid/100970 http://www.zerodayinitiative.com/advisories/ZDI-17-785 http://www.zerodayinitiative.com/advisories/ZDI-17-789 http://www.zerodayinitiative.com/advisories/ZDI-17-790 http://www.zerodayinitiative.com/advisories/ZDI-17-807 https://success.trendmicro.com/solution/1118224 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 61%CPEs: 1EXPL: 0CVE-2017-14078 – Trend Micro Mobile Security for Enterprise get_moveto_group_list Device_DeviceId SQL Injection Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2017-14078
SQL Injection vulnerabilities in Trend Micro Mobile Security (Enterprise) versions before 9.7 Patch 3 allow remote attackers to execute arbitrary code on vulnerable installations. Varias vulnerabilidades de inyección SQL en las versiones anteriores a 9.7 Patch 3 de Trend Micro Mobile Security (Enterprise) permiten que atacantes remotos ejecuten código arbitrario en instalaciones vulnerables. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Trend Micro Mobile Security for Enterprise. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of the get_moveto_group_list action. When parsing the 'id' field, the process does not properly validate a user-supplied string before using it to construct SQL queries. • http://www.securityfocus.com/bid/100966 http://www.zerodayinitiative.com/advisories/ZDI-17-739 http://www.zerodayinitiative.com/advisories/ZDI-17-740 http://www.zerodayinitiative.com/advisories/ZDI-17-741 http://www.zerodayinitiative.com/advisories/ZDI-17-742 http://www.zerodayinitiative.com/advisories/ZDI-17-743 http://www.zerodayinitiative.com/advisories/ZDI-17-744 http://www.zerodayinitiative.com/advisories/ZDI-17-745 http://www.zerodayinitiative.com/advisories/ZDI-17-746 http://www.zer • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 1%CPEs: 1EXPL: 0CVE-2017-14081 – Trend Micro Mobile Security for Enterprise Proxy Command Injection Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2017-14081
Proxy command injection vulnerabilities in Trend Micro Mobile Security (Enterprise) versions before 9.7 Patch 3 allow remote attackers to execute arbitrary code on vulnerable installations. Varias vulnerabilidades de inyección de comandos proxy en las versiones anteriores a 9.7 Patch 3 de Trend Micro Mobile Security (Enterprise) permiten que atacantes remotos ejecuten código arbitrario en instalaciones vulnerables. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Trend Micro Mobile Security for Enterprise. Authentication is required to exploit this vulnerability. The specific flaw exists within the modTMCSS Proxy functionality. When parsing certain parameters and "type" is set to "WR," the process does not properly validate a user-supplied string before using it to execute a system call. • http://www.securityfocus.com/bid/100969 http://www.zerodayinitiative.com/advisories/ZDI-17-752 http://www.zerodayinitiative.com/advisories/ZDI-17-774 https://success.trendmicro.com/solution/1118224 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2017-14080 – Trend Micro Mobile Security for Enterprise widgetforsecurity talker Authentication Bypass Vulnerability
https://notcve.org/view.php?id=CVE-2017-14080
Authentication bypass vulnerability in Trend Micro Mobile Security (Enterprise) versions before 9.7 Patch 3 allows attackers to access a specific part of the console using a blank password. Una vulnerabilidad de omisión de autenticación en las versiones anteriores a 9.7 Patch 3 de Trend Micro Mobile Security (Enterprise) permite que atacantes remotos accedan a una parte específica de la consola empleando una contraseña en blanco. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Trend Micro Mobile Security for Enterprise. Authentication is not required to exploit this vulnerability. The specific flaw exists within the initialization of the users table in the tmwf database. When processing an attempt to login a user by an email address, the system can bypass password authentication. • http://www.zerodayinitiative.com/advisories/ZDI-17-767 https://success.trendmicro.com/solution/1118224 • CWE-287: Improper Authentication •