CVE-2022-28394
https://notcve.org/view.php?id=CVE-2022-28394
EOL Product CVE - Installer of Trend Micro Password Manager (Consumer) versions 3.7.0.1223 and below provided by Trend Micro Incorporated contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Please note that this was reported on an EOL version of the product, and users are advised to upgrade to the latest supported version (5.x). CVE de producto EOL - El instalador de Trend Micro Password Manager (Consumer) versiones 3.7.0.1223 y posteriores proporcionado por Trend Micro Incorporated contiene un problema con la ruta de búsqueda de DLL, que puede provocar la carga insegura de bibliotecas de enlace dinámico CWE-427). Tenga en cuenta que este problema se ha detectado en una versión EOL del producto, por lo que se recomienda a los usuarios que actualicen a la última versión compatible (5.x). • https://helpcenter.trendmicro.com/ja-jp/article/TMKA-10977 https://jvn.jp/en/jp/JVN60037444 https://jvn.jp/jp/JVN60037444 • CWE-427: Uncontrolled Search Path Element •
CVE-2022-30523 – Trend Micro Password Manager Link Following Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2022-30523
Trend Micro Password Manager (Consumer) version 5.0.0.1266 and below is vulnerable to a Link Following Privilege Escalation Vulnerability that could allow a low privileged local attacker to delete the contents of an arbitrary folder as SYSTEM which can then be used for privilege escalation on the affected machine. Trend Micro Password Manager (Consumer) versión 5.0.0.1266 y anteriores, es susceptible a una vulnerabilidad de escalada de privilegios de seguimiento de enlaces que podría permitir a un atacante local con pocos privilegios eliminar el contenido de una carpeta arbitraria como SYSTEM, lo que puede usarse para una escalada de privilegios en el equipo afectado This vulnerability allows local attackers to escalate privileges on affected installations of Trend Micro Password Manager. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the Trend Micro Password Manager Service. By creating a symbolic link, an attacker can abuse the service to delete a file. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. • https://helpcenter.trendmicro.com/en-us/article/tmka-09071 https://www.zerodayinitiative.com/advisories/ZDI-22-759 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVE-2022-26337
https://notcve.org/view.php?id=CVE-2022-26337
Trend Micro Password Manager (Consumer) installer version 5.0.0.1262 and below is vulnerable to an Uncontrolled Search Path Element vulnerability that could allow an attacker to use a specially crafted file to exploit the vulnerability and escalate local privileges on the affected machine. El instalador de Trend Micro Password Manager (Consumer) versión 5.0.0.1262 y anteriores, es susceptible a una vulnerabilidad de Elemento de Ruta de Búsqueda no Controlada que podría permitir a un atacante usar un archivo especialmente diseñado para explotar la vulnerabilidad y elevar privilegios locales en el equipo afectado • https://helpcenter.trendmicro.com/en-us/article/tmka-10954 • CWE-427: Uncontrolled Search Path Element •
CVE-2021-32461 – Trend Micro Password Manager Integer Truncation Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2021-32461
Trend Micro Password Manager (Consumer) version 5.0.0.1217 and below is vulnerable to an Integer Truncation Privilege Escalation vulnerability which could allow a local attacker to trigger a buffer overflow and escalate privileges on affected installations. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. Trend Micro Password Manager (Consumer) versiones 5.0.0.1217 y por debajo es susceptible a una vulnerabilidad de Escalada de Privilegios por Truncamiento de Enteros que podría permitir a un atacante local desencadenar un desbordamiento de búfer y una escalada de privilegios en las instalaciones afectadas. Un atacante debe obtener primero la capacidad de ejecutar código poco privilegiado en el sistema objetivo para poder explotar esta vulnerabilidad This vulnerability allows local attackers to escalate privileges on affected installations of Trend Micro Password Manager. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the Trend Micro Password Manager Central Control Service. • https://helpcenter.trendmicro.com/en-us/article/TMKA-10388 https://www.zerodayinitiative.com/advisories/ZDI-21-773 • CWE-681: Incorrect Conversion between Numeric Types •
CVE-2021-32462 – Trend Micro Password Manager Exposed Dangerous Function Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2021-32462
Trend Micro Password Manager (Consumer) version 5.0.0.1217 and below is vulnerable to an Exposed Hazardous Function Remote Code Execution vulnerability which could allow an unprivileged client to manipulate the registry and escalate privileges to SYSTEM on affected installations. Authentication is required to exploit this vulnerability. Trend Micro Password Manager (Consumer) versiones 5.0.0.1217 y por debajo es susceptible a una vulnerabilidad de Ejecución de Código Remota de Función Peligrosa Expuesta que podría permitir a un cliente no privilegiado manipular el registro y escalar privilegios para SYSTEM en las instalaciones afectadas. Es requerida la autenticación para explotar esta vulnerabilidad This vulnerability allows remote attackers to execute arbitrary code on affected installations of Trend Micro Password Manager. Authentication is required to exploit this vulnerability. The specific flaw exists within the Trend Micro Password Manager Central Control Service. • https://helpcenter.trendmicro.com/en-us/article/TMKA-10388 https://www.zerodayinitiative.com/advisories/ZDI-21-774 •