CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2018-6231 – Trend Micro Smart Protection Server Auth Command Injection Authentication Bypass Vulnerability
https://notcve.org/view.php?id=CVE-2018-6231
A server auth command injection authentication bypass vulnerability in Trend Micro Smart Protection Server (Standalone) versions 3.3 and below could allow remote attackers to escalate privileges on vulnerable installations. Una vulnerabilidad de omisión de autenticación y de inyección de comandos auth del servidor en Trend Micro Smart Protection Server (Standalone) en versiones 3.3 y anteriores podría permitir que los atacantes remotos escalen privilegios en instalaciones vulnerables. This vulnerability allows remote attackers to escalate privileges on vulnerable installations of Trend Micro Smart Protection Server. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of credentials provided at login. When parsing the username, the process does not properly validate a user-supplied string before using it to execute a system call. • https://success.trendmicro.com/solution/1119385 https://www.zerodayinitiative.com/advisories/ZDI-18-218 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 2CVE-2017-11398 – Trend Micro Smart Protection Server - Session Hijacking / Log File Disclosure / Remote Command Execution / Cron Job Injection / Local File Inclusion / Stored Cross-Site Scripting / Improper Access Control
https://notcve.org/view.php?id=CVE-2017-11398
A session hijacking via log disclosure vulnerability in Trend Micro Smart Protection Server (Standalone) versions 3.2 and below could allow an unauthenticated attacker to hijack active user sessions to perform authenticated requests on a vulnerable system. Una vulnerabilidad de secuestro de sesión mediante divulgación de logs en Trend Micro Smart Protection Server (Standalone), en versiones 3.2 y anteriores, podría permitir que un atacante no autenticado secuestre sesiones activas de usuario para realizar peticiones autenticadas en un sistema vulnerable. Trend Micro Smart Protection Server version 3.2 suffers from access control bypass, cross site scripting, information disclosure, and various other vulnerabilities. • https://www.exploit-db.com/exploits/43388 http://www.securityfocus.com/bid/102275 https://success.trendmicro.com/solution/1118992 https://www.coresecurity.com/advisories/trend-micro-smart-protection-server-multiple-vulnerabilities • CWE-285: Improper Authorization CWE-534: DEPRECATED: Information Exposure Through Debug Log Files •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 2CVE-2017-14097 – Trend Micro Smart Protection Server - Session Hijacking / Log File Disclosure / Remote Command Execution / Cron Job Injection / Local File Inclusion / Stored Cross-Site Scripting / Improper Access Control
https://notcve.org/view.php?id=CVE-2017-14097
An improper access control vulnerability in Trend Micro Smart Protection Server (Standalone) versions 3.2 and below could allow an attacker to decrypt contents of a database with information that could be used to access a vulnerable system. Una vulnerabilidad de control de acceso incorrecto en Trend Micro Smart Protection Server (Standalone) en versiones 3.2 y anteriores podría permitir que un atacante descifre el contenido de una base de datos con información que podría emplearse para acceder a un sistema vulnerable. Trend Micro Smart Protection Server version 3.2 suffers from access control bypass, cross site scripting, information disclosure, and various other vulnerabilities. • https://www.exploit-db.com/exploits/43388 http://www.securityfocus.com/bid/102275 https://success.trendmicro.com/solution/1118992 https://www.coresecurity.com/advisories/trend-micro-smart-protection-server-multiple-vulnerabilities •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2017-14096 – Trend Micro Smart Protection Server - Session Hijacking / Log File Disclosure / Remote Command Execution / Cron Job Injection / Local File Inclusion / Stored Cross-Site Scripting / Improper Access Control
https://notcve.org/view.php?id=CVE-2017-14096
A stored cross site scripting (XSS) vulnerability in Trend Micro Smart Protection Server (Standalone) versions 3.2 and below could allow an attacker to execute a malicious payload on vulnerable systems. Una vulnerabilidad de Cross-Site Scripting (XSS) persistente en Trend Micro Smart Protection Server (Standalone) en versiones 3.2 y anteriores podría permitir que un atacante ejecute una carga útil maliciosa en sistemas vulnerables. Trend Micro Smart Protection Server version 3.2 suffers from access control bypass, cross site scripting, information disclosure, and various other vulnerabilities. • https://www.exploit-db.com/exploits/43388 http://www.securityfocus.com/bid/102275 https://success.trendmicro.com/solution/1118992 https://www.coresecurity.com/advisories/trend-micro-smart-protection-server-multiple-vulnerabilities • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 2%CPEs: 1EXPL: 2CVE-2017-14094 – Trend Micro Smart Protection Server - Session Hijacking / Log File Disclosure / Remote Command Execution / Cron Job Injection / Local File Inclusion / Stored Cross-Site Scripting / Improper Access Control
https://notcve.org/view.php?id=CVE-2017-14094
A vulnerability in Trend Micro Smart Protection Server (Standalone) versions 3.2 and below could allow an attacker to perform remote command execution via a cron job injection on a vulnerable system. Una vulnerabilidad en Trend Micro Smart Protection Server (Standalone), en versiones 3.2 y anteriores, podría permitir que un atacante realice la ejecución remota de comandos mediante una inyección cron job en un sistema vulnerable. Trend Micro Smart Protection Server version 3.2 suffers from access control bypass, cross site scripting, information disclosure, and various other vulnerabilities. • https://www.exploit-db.com/exploits/43388 http://www.securityfocus.com/bid/102275 https://success.trendmicro.com/solution/1118992 https://www.coresecurity.com/advisories/trend-micro-smart-protection-server-multiple-vulnerabilities • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •