CVE-2018-10357 – Trend Micro Endpoint Application Control FileDrop Directory Traversal Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2018-10357
A directory traversal vulnerability in Trend Micro Endpoint Application Control 2.0 could allow a remote attacker to execute arbitrary code on vulnerable installations due to a flaw in the FileDrop servlet. Authentication is required to exploit this vulnerability. Una vulnerabilidad de salto de directorio en Trend Micro Endpoint Application Control 2.0 podría permitir que un atacante remoto ejecute código arbitrarias en instalaciones vulnerables debido a un error en el servlet FileDrop. Se requiere autenticación para explotar esta vulnerabilidad. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Trend Micro Endpoint Application Control. • http://www.securityfocus.com/bid/104355 https://success.trendmicro.com/solution/1119811 https://www.zerodayinitiative.com/advisories/ZDI-18-469 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2018-10352 – Trend Micro Encryption for Email Gateway formConfiguration saveValue SQL Injection Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2018-10352
A vulnerability in Trend Micro Email Encryption Gateway 5.5 could allow a remote attacker to execute arbitrary SQL statements on vulnerable installations due to a flaw in the formConfiguration class. Authentication is required to exploit this vulnerability. Una vulnerabilidad en Trend Micro Email Encryption Gateway 5.5 podría permitir que un atacante remoto ejecute instrucciones SQL arbitrarias en instalaciones vulnerables debido a un error en la clase formConfiguration. Se requiere autenticación para explotar esta vulnerabilidad. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Trend Micro Encryption for Email Gateway. • https://success.trendmicro.com/solution/1119349 https://www.zerodayinitiative.com/advisories/ZDI-18-418 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2018-10355 – Trend Micro Encryption for Email Gateway DBCrypto Authentication Weakness Vulnerability
https://notcve.org/view.php?id=CVE-2018-10355
An authentication weakness vulnerability in Trend Micro Email Encryption Gateway 5.5 could allow an attacker to recover user passwords on vulnerable installations due to a flaw in the DBCrypto class. An attacker must first obtain access to the user database on the target system in order to exploit this vulnerability. Una vulnerabilidad de debilidad en la autenticación en Trend Micro Email Encryption Gateway 5.5 podría permitir que un atacante recupere cuentas de usuario en instalaciones vulnerables debido a un error en la clase DBCrypto. En primer lugar, un atacante debe obtener acceso a la base de datos del usuario en el sistema objetivo para explotar esta vulnerabilidad. This vulnerability allows attackers to recover user passwords on vulnerable installations of Trend Micro Encryption for Email Gateway. • https://success.trendmicro.com/solution/1119349 https://www.zerodayinitiative.com/advisories/ZDI-18-411 • CWE-522: Insufficiently Protected Credentials •
CVE-2018-10351 – Trend Micro Encryption for Email Gateway register2 Client SQL Injection Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2018-10351
A vulnerability in Trend Micro Email Encryption Gateway 5.5 could allow a remote attacker to execute arbitrary SQL statements on vulnerable installations due to a flaw in the formRegistration2 class. Authentication is required to exploit this vulnerability. Una vulnerabilidad en Trend Micro Email Encryption Gateway 5.5 podría permitir que un atacante remoto ejecute instrucciones SQL arbitrarias en instalaciones vulnerables debido a un error en la clase formRegistration2. Se requiere autenticación para explotar esta vulnerabilidad. This vulnerability allows remote attackers to execute arbitrary SQL statements on vulnerable installations of Trend Micro Encryption for Email Gateway. • https://success.trendmicro.com/solution/1119349 https://www.zerodayinitiative.com/advisories/ZDI-18-415 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2018-10353 – Trend Micro Encryption for Email Gateway formChangePass username SQL Injection Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2018-10353
A SQL injection information disclosure vulnerability in Trend Micro Email Encryption Gateway 5.5 could allow a remote attacker to disclose sensitive information on vulnerable installations due to a flaw in the formChangePass class. Authentication is required to exploit this vulnerability. Una vulnerabilidad de divulgación de información por inyección SQL en Trend Micro Email Encryption Gateway 5.5 podría permitir que un atacante remoto revele información sensible en instalaciones vulnerables debido a un error en la clase formChangePass. Se requiere autenticación para explotar esta vulnerabilidad. This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Trend Micro Encryption for Email Gateway. • https://success.trendmicro.com/solution/1119349 https://www.zerodayinitiative.com/advisories/ZDI-18-419 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •