CVE-2020-24558 – Trend Micro Apex One Out-Of-Bounds Read Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2020-24558
A vulnerability in an Trend Micro Apex One, Worry-Free Business Security 10.0 SP1 and Worry-Free Business Security Services dll may allow an attacker to manipulate it to cause an out-of-bounds read that crashes multiple processes in the product. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. Una vulnerabilidad en una dll de Trend Micro Apex One, Worry-Free Business Security 10.0 SP1 y Worry-Free Business Security Services dll, puede permitir a un atacante manipularla para causar una lectura fuera de límites que bloquee varios procesos en el producto. Un atacante debe primero obtener la capacidad de ejecutar código poco privilegiado en el sistema de objetivo para explotar esta vulnerabilidad This vulnerability allows local attackers to disclose sensitive information on affected installations of Trend Micro Apex One. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within OfcPIPC_64x.dll. • https://success.trendmicro.com/solution/000263632 https://success.trendmicro.com/solution/000267260 https://www.zerodayinitiative.com/advisories/ZDI-20-1095 • CWE-125: Out-of-bounds Read •
CVE-2020-24556 – Trend Micro Apex One Hard Link Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2020-24556
A vulnerability in Trend Micro Apex One, OfficeScan XG SP1, Worry-Free Business Security 10 SP1 and Worry-Free Business Security Services on Microsoft Windows may allow an attacker to create a hard link to any file on the system, which then could be manipulated to gain a privilege escalation and code execution. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. Please note that version 1909 (OS Build 18363.719) of Microsoft Windows 10 mitigates hard links, but previous versions are affected. Una vulnerabilidad en Trend Micro Apex One, OfficeScan XG SP1, Worry-Free Business Security 10 SP1 y Worry-Free Business Security Services en Microsoft Windows, puede permitir a un atacante crear un enlace físico para cualquier archivo en el sistema, que luego podría manipularse para obtener una escalada de privilegios y una ejecución de código. Un atacante debe primero obtener la capacidad de ejecutar código poco privilegiado en el sistema objetivo para explotar esta vulnerabilidad. • https://success.trendmicro.com/solution/000263632 https://success.trendmicro.com/solution/000263633 https://success.trendmicro.com/solution/000267260 https://www.zerodayinitiative.com/advisories/ZDI-20-1093 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVE-2020-24559 – Trend Micro Apex One Hard Link Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2020-24559
A vulnerability in Trend Micro Apex One, Worry-Free Business Security 10.0 SP1 and Worry-Free Business Security Services on macOS may allow an attacker to manipulate a certain binary to load and run a script from a user-writable folder, which then would allow them to execute arbitrary code as root. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. Una vulnerabilidad en Trend Micro Apex One, Worry-Free Business Security 10.0 SP1 y Worry-Free Business Security Services en macOS, puede permitir a un atacante manipular un determinado binario para cargar y ejecutar un script desde una carpeta editable por el usuario, lo que luego les permitiría ejecutar código arbitrario como root. Un atacante debe primero obtener la capacidad de ejecutar código poco privilegiado en el sistema objetivo para explotar esta vulnerabilidad This vulnerability allows local attackers to escalate privileges on affected installations of Trend Micro Apex One. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the ApexOne Security Agent. • https://success.trendmicro.com/solution/000263632 https://success.trendmicro.com/solution/000267260 https://www.zerodayinitiative.com/advisories/ZDI-20-1096 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVE-2019-1332
https://notcve.org/view.php?id=CVE-2019-1332
A cross-site scripting (XSS) vulnerability exists when Microsoft SQL Server Reporting Services (SSRS) does not properly sanitize a specially-crafted web request to an affected SSRS server, aka 'Microsoft SQL Server Reporting Services XSS Vulnerability'. Hay una vulnerabilidad de tipo cross-site scripting (XSS) cuando Microsoft SQL Server Reporting Services (SSRS) no sanea apropiadamente una petición web especialmente diseñada para un servidor SSRS afectado, también se conoce como "Microsoft SQL Server Reporting Services XSS Vulnerability". • https://github.com/mbadanoiu/CVE-2019-1332 https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-1332-Cross-Site%20Scripting-Microsoft%20SQL%20Server%20Reporting%20Services https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1332 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2019-1446
https://notcve.org/view.php?id=CVE-2019-1446
An information disclosure vulnerability exists when Microsoft Excel improperly discloses the contents of its memory, aka 'Microsoft Excel Information Disclosure Vulnerability'. Se presenta una vulnerabilidad de divulgación de información cuando Microsoft Excel divulga inapropiadamente el contenido de su memoria, también se conoce como "Microsoft Excel Information Disclosure Vulnerability". • https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1446 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •