CVSS: 7.2EPSS: 0%CPEs: 9EXPL: 0CVE-2021-25251
https://notcve.org/view.php?id=CVE-2021-25251
The Trend Micro Security 2020 and 2021 families of consumer products are vulnerable to a code injection vulnerability which could allow an attacker to disable the program's password protection and disable protection. An attacker must already have administrator privileges on the machine to exploit this vulnerability. Las familias de productos de consumo Trend Micro Security 2020 y 2021, son vulnerables a una vulnerabilidad de inyección de código que podría permitir a un atacante desactivar la protección con contraseña del programa y desactivar la protección. Un atacante ya debe tener privilegios de administrador en la máquina para explotar esta vulnerabilidad • https://helpcenter.trendmicro.com/en-us/article/TMKA-10211 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2020-27697
https://notcve.org/view.php?id=CVE-2020-27697
Trend Micro Security 2020 (Consumer) contains a vulnerability in the installer package that could be exploited by placing a malicious DLL in a non-protected location with high privileges (symlink attack) which can lead to obtaining administrative privileges during the installation of the product. Trend Micro Security 2020 (Consumer), contiene una vulnerabilidad en el paquete de instalación que podría ser explotada al colocar una DLL maliciosa en una ubicación no protegida con altos privilegios (ataque de tipo symlink) que puede conllevar a una obtención de privilegios administrativos durante la instalación del producto • https://helpcenter.trendmicro.com/en-us/article/TMKA-10036 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2020-27695
https://notcve.org/view.php?id=CVE-2020-27695
Trend Micro Security 2020 (Consumer) contains a vulnerability in the installer package that could be exploited by placing a malicious DLL in a local directory which can lead to obtaining administrative privileges during the installation of the product. Trend Micro Security 2020 (Consumer), contiene una vulnerabilidad en el paquete de instalación que podría ser explotada al colocar una DLL maliciosa en un directorio local que puede conllevar a una obtención de privilegios administrativos durante la instalación del producto • https://helpcenter.trendmicro.com/en-us/article/TMKA-10036 • CWE-426: Untrusted Search Path •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2020-27696
https://notcve.org/view.php?id=CVE-2020-27696
Trend Micro Security 2020 (Consumer) contains a vulnerability in the installer package that could be exploited by placing a specific Windows system directory which can lead to obtaining administrative privileges during the installation of the product. Trend Micro Security 2020 (Consumer) contiene una vulnerabilidad en el paquete de instalación que podría ser explotada al colocar un directorio de sistema de Windows específico que puede conllevar a una obtención de privilegios administrativos durante la instalación del producto • https://helpcenter.trendmicro.com/en-us/article/TMKA-10036 •
CVSS: 6.3EPSS: 0%CPEs: 5EXPL: 0CVE-2020-25775 – Trend Micro Maximum Security Race Condition Arbitrary File Deletion Vulnerability
https://notcve.org/view.php?id=CVE-2020-25775
The Trend Micro Security 2020 (v16) consumer family of products is vulnerable to a security race condition arbitrary file deletion vulnerability that could allow an unprivileged user to manipulate the product's secure erase feature to delete files with a higher set of privileges. La familia de productos de consumo Trend Micro Security 2020 (versión v16), es susceptible a una vulnerabilidad de eliminación de archivos arbitraria de una condición de carrera de seguridad que podría permitir a un usuario poco privilegiado manipular la funcionalidad de borrado seguro del producto para eliminar archivos con un mayor conjunto de privilegios This vulnerability allows local attackers to delete arbitrary files on affected installations of Trend Micro Maximum Security. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the implementation of the Secure Erase feature. The issue results from the lack of proper validation of a user-supplied link prior to using it in file operations. An attacker can leverage this vulnerability to delete files in the context of SYSTEM. • https://helpcenter.trendmicro.com/en-us/article/TMKA-09909 https://www.zerodayinitiative.com/advisories/ZDI-20-1227 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •