CVE-2017-11388
Trend Micro Control Manager RestfulServiceUtility.NET SQL Injection Remote Code Execution Vulnerability
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
SQL Injection in Trend Micro Control Manager 6.0 causes Remote Code Execution when RestfulServiceUtility.NET.dll doesn't properly validate user provided strings before constructing SQL queries. Formerly ZDI-CAN-4639 and ZDI-CAN-4638.
Una vulnerabilidad de inyección SQL en Trend Micro Control Manager 6.0 permite que se ejecute código remoto cuando RestfulServiceUtility.NET.dll no valida correctamente los strings proporcionados por el usuario antes de construir las consultas SQL. Anteriormente esta vulnerabilidad tenía los códigos ZDI-CAN-4639 y ZDI-CAN-4638.
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Trend Micro Control Manager. Authentication is required to exploit this vulnerability.
The specific flaw exists within the Investigate endpoint in RestfulServiceUtility.NET.dll. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute arbitrary code under the context of NETWORKSERVICE.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2017-07-17 CVE Reserved
- 2017-07-31 CVE Published
- 2024-08-05 CVE Updated
- 2024-11-02 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CAPEC
References (5)
URL | Tag | Source |
---|---|---|
http://www.securityfocus.com/bid/100078 | Vdb Entry | |
http://www.securitytracker.com/id/1039049 | Vdb Entry | |
http://www.zerodayinitiative.com/advisories/ZDI-17-498 | Third Party Advisory | |
http://www.zerodayinitiative.com/advisories/ZDI-17-499 | Third Party Advisory |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://success.trendmicro.com/solution/1117722 | 2017-08-06 |
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Trendmicro Search vendor "Trendmicro" | Control Manager Search vendor "Trendmicro" for product "Control Manager" | 6.0 Search vendor "Trendmicro" for product "Control Manager" and version "6.0" | - |
Affected
|