CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2020-8463 – Trend Micro IWSVA CSRF / XSS / Bypass / SSRF / Code Execution
https://notcve.org/view.php?id=CVE-2020-8463
A vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 SP2 could allow an attacker to bypass a global authorization check for anonymous users by manipulating request paths. Una vulnerabilidad en Trend Micro InterScan Web Security Virtual Appliance versión 6.5 SP2, podría permitir a un atacante omitir una comprobación de autorización global para usuarios anónimos mediante la manipulación de rutas de petición Trend Micro InterScan Web Security Virtual Appliance (IWSVA) versions below 6.5 SP2 EN Patch 4 Build 1919 suffers from bypass, command execution, cross site request forgery, cross site scripting, and server-side request forgery vulnerabilities. • https://sec-consult.com/vulnerability-lab/advisory/multiple-critical-vulnerabilities-in-trend-micro-interscan-web-security-virtual-appliance https://success.trendmicro.com/solution/000283077 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2020-8464 – Trend Micro IWSVA CSRF / XSS / Bypass / SSRF / Code Execution
https://notcve.org/view.php?id=CVE-2020-8464
A vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 SP2 could allow an attacker to send requests that appear to come from the localhost which could expose the product's admin interface to users who would not normally have access. Una vulnerabilidad en Trend Micro InterScan Web Security Virtual Appliance versión 6.5 SP2, podría permitir a un atacante enviar peticiones que parecen provenir del host local, lo que podría exponer la interfaz de administración del producto a usuarios que normalmente no tendrían acceso Trend Micro InterScan Web Security Virtual Appliance (IWSVA) versions below 6.5 SP2 EN Patch 4 Build 1919 suffers from bypass, command execution, cross site request forgery, cross site scripting, and server-side request forgery vulnerabilities. • https://sec-consult.com/vulnerability-lab/advisory/multiple-critical-vulnerabilities-in-trend-micro-interscan-web-security-virtual-appliance https://success.trendmicro.com/solution/000283077 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 9.8EPSS: 39%CPEs: 1EXPL: 1CVE-2020-8466 – Trend Micro IWSVA CSRF / XSS / Bypass / SSRF / Code Execution
https://notcve.org/view.php?id=CVE-2020-8466
A command injection vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 SP2, with the improved password hashing method enabled, could allow an unauthenticated attacker to execute certain commands by providing a manipulated password. Una vulnerabilidad de inyección de comandos en Trend Micro InterScan Web Security Virtual Appliance versión 6.5 SP2, con el método habilitado de hashing de contraseña mejorado, podría permitir a un atacante no autenticado ejecutar determinados comandos al proporcionar una contraseña manipulada Trend Micro InterScan Web Security Virtual Appliance (IWSVA) versions below 6.5 SP2 EN Patch 4 Build 1919 suffers from bypass, command execution, cross site request forgery, cross site scripting, and server-side request forgery vulnerabilities. • https://sec-consult.com/vulnerability-lab/advisory/multiple-critical-vulnerabilities-in-trend-micro-interscan-web-security-virtual-appliance https://success.trendmicro.com/solution/000283077 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2020-28583 – Trend Micro OfficeScan Improper Access Control Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2020-28583
An improper access control information disclosure vulnerability in Trend Micro Apex One and OfficeScan XG SP1 could allow an unauthenticated user to connect to the product server and reveal version, build and patch information. Una vulnerabilidad de divulgación de información de control de acceso inapropiado en Trend Micro Apex One y OfficeScan XG SP1, podría permitir a un usuario no autenticado conectarse al servidor del producto y revelar información sobre la versión, la compilación y el parche This vulnerability allows remote attackers to disclose sensitive information on affected installations of Trend Micro OfficeScan. Authentication is not required to exploit this vulnerability. The specific flaw exists within the web console, which listens on TCP port 4343 by default. The issue results from improper access control. An attacker can leverage this vulnerability to disclose information from the application. • https://success.trendmicro.com/solution/000281947 https://success.trendmicro.com/solution/000281949 https://www.zerodayinitiative.com/advisories/ZDI-20-1387 •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2020-28582 – Trend Micro OfficeScan Improper Access Control Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2020-28582
An improper access control information disclosure vulnerability in Trend Micro Apex One and OfficeScan XG SP1 could allow an unauthenticated user to connect to the product server and reveal number of managed agents. Una vulnerabilidad de divulgación de información de control de acceso inapropiado en Trend Micro Apex One y OfficeScan XG SP1, podría permitir a un usuario no autenticado conectarse al servidor del producto y revelar la cantidad de agentes administrados This vulnerability allows remote attackers to disclose sensitive information on affected installations of Trend Micro OfficeScan. Authentication is not required to exploit this vulnerability. The specific flaw exists within the web console, which listens on TCP port 4343 by default. The issue results from improper access control. An attacker can leverage this vulnerability to disclose information from the application. • https://success.trendmicro.com/solution/000281947 https://success.trendmicro.com/solution/000281949 https://www.zerodayinitiative.com/advisories/ZDI-20-1386 •