CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 2CVE-2017-14095 – Trend Micro Smart Protection Server - Session Hijacking / Log File Disclosure / Remote Command Execution / Cron Job Injection / Local File Inclusion / Stored Cross-Site Scripting / Improper Access Control
https://notcve.org/view.php?id=CVE-2017-14095
A vulnerability in Trend Micro Smart Protection Server (Standalone) versions 3.2 and below could allow an attacker to perform remote command execution via a local file inclusion on a vulnerable system. Una vulnerabilidad en Trend Micro Smart Protection Server (Standalone), en versiones 3.2 y anteriores, podría permitir que un atacante realice la ejecución remota de comandos mediante una inclusión de archivos locales en un sistema vulnerable. Trend Micro Smart Protection Server version 3.2 suffers from access control bypass, cross site scripting, information disclosure, and various other vulnerabilities. • https://www.exploit-db.com/exploits/43388 http://www.securityfocus.com/bid/102275 https://success.trendmicro.com/solution/1118992 https://www.coresecurity.com/advisories/trend-micro-smart-protection-server-multiple-vulnerabilities • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') CWE-829: Inclusion of Functionality from Untrusted Control Sphere •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 1CVE-2017-14090
https://notcve.org/view.php?id=CVE-2017-14090
A vulnerability in Trend Micro ScanMail for Exchange 12.0 exists in which some communications to the update servers are not encrypted. Existe una vulnerabilidad en Trend Micro ScanMail for Exchange 12.0 en la que algunas comunicaciones con los servidores de actualización no están codificadas. • https://success.trendmicro.com/solution/1118486 https://www.coresecurity.com/advisories/trend-micro-scanmail-microsoft-exchange-multiple-vulnerabilities • CWE-326: Inadequate Encryption Strength •
CVSS: 7.6EPSS: 0%CPEs: 1EXPL: 1CVE-2017-14091
https://notcve.org/view.php?id=CVE-2017-14091
A vulnerability in Trend Micro ScanMail for Exchange 12.0 exists in which certain specific installations that utilize a uncommon feature - Other Update Sources - could be exploited to overwrite sensitive files in the ScanMail for Exchange directory. Existe una vulnerabilidad en Trend Micro ScanMail for Exchange 12.0 en la que ciertas instalaciones específicas que emplean una característica poco común (Other Update Sources) podrían ser explotadas para sobrescribir archivos sensibles en el directorio ScanMail for Exchange. • https://success.trendmicro.com/solution/1118486 https://www.coresecurity.com/advisories/trend-micro-scanmail-microsoft-exchange-multiple-vulnerabilities • CWE-345: Insufficient Verification of Data Authenticity •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2017-14093
https://notcve.org/view.php?id=CVE-2017-14093
The Log Query and Quarantine Query pages in Trend Micro ScanMail for Exchange 12.0 are vulnerable to cross site scripting (XSS) attacks. Las páginas Log Query y Quarantine Query en Trend Micro ScanMail for Exchange 12.0 son vulnerables a ataques de Cross-Site Scripting (XSS). • https://success.trendmicro.com/solution/1118486 https://www.coresecurity.com/advisories/trend-micro-scanmail-microsoft-exchange-multiple-vulnerabilities • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2017-14092
https://notcve.org/view.php?id=CVE-2017-14092
The absence of Anti-CSRF tokens in Trend Micro ScanMail for Exchange 12.0 web interface forms could allow an attacker to submit authenticated requests when an authenticated user browses an attacker-controlled domain. La falta de tokens Anti-CSRF en os formularios de la interfaz web de Trend Micro ScanMail for Exchange 12.0 podría permitir que un atacante envíe peticiones autenticadas cuando un usuario autenticado navega por un dominio controlado por el atacante. • https://success.trendmicro.com/solution/1118486 https://www.coresecurity.com/advisories/trend-micro-scanmail-microsoft-exchange-multiple-vulnerabilities • CWE-352: Cross-Site Request Forgery (CSRF) •