CVSS: 5.5EPSS: 0%CPEs: 39EXPL: 0CVE-2021-25252
https://notcve.org/view.php?id=CVE-2021-25252
Trend Micro's Virus Scan API (VSAPI) and Advanced Threat Scan Engine (ATSE) - are vulnerable to a memory exhaustion vulnerability that may lead to denial-of-service or system freeze if exploited by an attacker using a specially crafted file. La API Virus Scan (VSAPI) y el Advanced Threat Scan Engine (ATSE) de Trend Micro, son susceptibles a una vulnerabilidad de agotamiento de la memoria que puede conllevar a una denegación de servicio o a un congelamiento del sistema si es explotada por un atacante usando un archivo especialmente diseñado • https://success.trendmicro.com/solution/000285675 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 2CVE-2020-27016 – Trend Micro IMSVA CSRF / XML Injection / SSRF / File Disclosure
https://notcve.org/view.php?id=CVE-2020-27016
Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) 9.1 is vulnerable to a cross-site request forgery (CSRF) vulnerability which could allow an attacker to modify policy rules by tricking an authenticated administrator into accessing an attacker-controlled web page. An attacker must already have obtained product administrator/root privileges to exploit this vulnerability. Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) versión 9.1, es susceptible a una vulnerabilidad de tipo cross-site request forgery (CSRF) que podría permitir a un atacante modificar las reglas de políticas engañando a un administrador autenticado para que acceda a una página web controlada por el atacante. Un atacante ya debe haber obtenido privilegios de administrator/root del producto para explotar esta vulnerabilidad Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) versions prior to 9.1.0 Critical Patch Build 2025 suffer from XML injection, over-privileged access, cross site request forgery, file disclosure, server-side request forgery, information leakage, and various other vulnerabilities. • https://sec-consult.com/en/blog/advisories/vulnerabilities-in-trend-micro-interscan-messaging-security-virtual-appliance-imsva https://success.trendmicro.com/solution/000279833 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.9EPSS: 0%CPEs: 2EXPL: 2CVE-2020-27017 – Trend Micro IMSVA CSRF / XML Injection / SSRF / File Disclosure
https://notcve.org/view.php?id=CVE-2020-27017
Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) 9.1 is vulnerable to an XML External Entity Processing (XXE) vulnerability which could allow an authenticated administrator to read arbitrary local files. An attacker must already have obtained product administrator/root privileges to exploit this vulnerability. Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) versión 9.1, es susceptible a una vulnerabilidad de tipo XML External Entity Processing (XXE) que podría permitir a un administrador autenticado leer archivos locales arbitrarios. Un atacante ya debe haber obtenido privilegios de administrator/root del producto para explotar esta vulnerabilidad Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) versions prior to 9.1.0 Critical Patch Build 2025 suffer from XML injection, over-privileged access, cross site request forgery, file disclosure, server-side request forgery, information leakage, and various other vulnerabilities. • https://sec-consult.com/en/blog/advisories/vulnerabilities-in-trend-micro-interscan-messaging-security-virtual-appliance-imsva https://success.trendmicro.com/solution/000279833 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 2CVE-2020-27018 – Trend Micro IMSVA CSRF / XML Injection / SSRF / File Disclosure
https://notcve.org/view.php?id=CVE-2020-27018
Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) 9.1 is vulnerable to a server side request forgery vulnerability which could allow an authenticated attacker to abuse the product's web server and grant access to web resources or parts of local files. An attacker must already have obtained authenticated privileges on the product to exploit this vulnerability. Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) versión 9.1, es susceptible a una vulnerabilidad de tipo server side request forgery que podría permitir a un atacante autenticado abusar del servidor web del producto y otorgar acceso a recursos web o partes de archivos locales. Un atacante ya debe haber obtenido privilegios autenticados en el producto para explotar esta vulnerabilidad Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) versions prior to 9.1.0 Critical Patch Build 2025 suffer from XML injection, over-privileged access, cross site request forgery, file disclosure, server-side request forgery, information leakage, and various other vulnerabilities. • https://sec-consult.com/en/blog/advisories/vulnerabilities-in-trend-micro-interscan-messaging-security-virtual-appliance-imsva https://success.trendmicro.com/solution/000279833 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 2CVE-2020-27019 – Trend Micro IMSVA CSRF / XML Injection / SSRF / File Disclosure
https://notcve.org/view.php?id=CVE-2020-27019
Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) 9.1 is vulnerable to an information disclosure vulnerability which could allow an attacker to access a specific database and key. Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) versión 9.1, es susceptible a una vulnerabilidad de divulgación de información que podría permitir a un atacante acceder a una base de datos y clave específica Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) versions prior to 9.1.0 Critical Patch Build 2025 suffer from XML injection, over-privileged access, cross site request forgery, file disclosure, server-side request forgery, information leakage, and various other vulnerabilities. • https://sec-consult.com/en/blog/advisories/vulnerabilities-in-trend-micro-interscan-messaging-security-virtual-appliance-imsva https://success.trendmicro.com/solution/000279833 • CWE-306: Missing Authentication for Critical Function •