CVSS: 9.4EPSS: 0%CPEs: 7EXPL: 0CVE-2020-8470
https://notcve.org/view.php?id=CVE-2020-8470
Trend Micro Apex One (2019), OfficeScan XG and Worry-Free Business Security (9.0, 9.5, 10.0) server contains a vulnerable service DLL file that could allow an attacker to delete any file on the server with SYSTEM level privileges. Authentication is not required to exploit this vulnerability. El servidor de Trend Micro Apex One (2019), OfficeScan XG y Worry-Free Business Security versiones (9.0, 9.5, 10.0), contienen un archivo DLL de servicio vulnerable que podría permitir a un atacante eliminar cualquier archivo en el servidor con privilegios de nivel SYSTEM. No es requerida una autenticación para explotar esta vulnerabilidad. • https://success.trendmicro.com/jp/solution/000244253 https://success.trendmicro.com/jp/solution/000244836 https://success.trendmicro.com/solution/000245571 https://success.trendmicro.com/solution/000245572 •
CVSS: 8.8EPSS: 0%CPEs: 7EXPL: 0CVE-2020-8468 – Trend Micro Multiple Products Content Validation Escape Vulnerability
https://notcve.org/view.php?id=CVE-2020-8468
Trend Micro Apex One (2019), OfficeScan XG and Worry-Free Business Security (9.0, 9.5, 10.0) agents are affected by a content validation escape vulnerability which could allow an attacker to manipulate certain agent client components. An attempted attack requires user authentication. Los agentes de Trend Micro Apex One (2019), OfficeScan XG y Worry-Free Business Security versiones (9.0, 9.5, 10.0), están afectados por una vulnerabilidad de escape de comprobación de contenido que podría permitir a un atacante manipular determinados componentes del cliente del agente. Un intento de ataque requiere autenticación de usuario. Trend Micro Apex One, OfficeScan, and Worry-Free Business Security agents contain a content validation escape vulnerability that could allow an attacker to manipulate certain agent client components. • https://success.trendmicro.com/jp/solution/000244253 https://success.trendmicro.com/jp/solution/000244836 https://success.trendmicro.com/solution/000245571 https://success.trendmicro.com/solution/000245572 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 7.0EPSS: 0%CPEs: 12EXPL: 0CVE-2019-14688
https://notcve.org/view.php?id=CVE-2019-14688
Trend Micro has repackaged installers for several Trend Micro products that were found to utilize a version of an install package that had a DLL hijack vulnerability that could be exploited during a new product installation. The vulnerability was found to ONLY be exploitable during an initial product installation by an authorized user. The attacker must convince the target to download malicious DLL locally which must be present when the installer is run. Trend Micro ha reempaquetado instaladores para varios productos de Trend Micro que usaron una versión de un paquete de instalación que tenía una vulnerabilidad de secuestro de DLL, que podría ser explotada durante la instalación de un nuevo producto. Se encontró que la vulnerabilidad SOLO es explotable durante la instalación inicial del producto por parte de un usuario autorizado. • https://success.trendmicro.com/solution/1123562 • CWE-427: Uncontrolled Search Path Element •