CVE-2017-6340
Trend Micro InterScan Web Security Virtual Appliance (IWSVA) 6.5 SP2 - Multiple Vulnerabilities
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
2Exploited in Wild
-Decision
Descriptions
Trend Micro InterScan Web Security Virtual Appliance (IWSVA) 6.5 before CP 1746 does not sanitize a rest/commonlog/report/template name field, which allows a 'Reports Only' user to inject malicious JavaScript while creating a new report. Additionally, IWSVA implements incorrect access control that allows any authenticated, remote user (even with low privileges like 'Auditor') to create or modify reports, and consequently take advantage of this XSS vulnerability. The JavaScript is executed when victims visit reports or auditlog pages.
Trend Micro InterScan Web Security Virtual Appliance (IWSVA) 6.5 en versiones anteriores a CP 1746 no sanea un nombre de archivo rest/commonlog/report/template, que permite que un usuario de 'Reports Only' inyecte JavaScript malintencionado mientras crea un nuevo informe. Además, IWSVA implementa un control de acceso incorrecto que permite a cualquier usuario remoto autenticado (incluso con privilegios bajos como "Auditor") crear o modificar informes y, en consecuencia, aprovechar esta vulnerabilidad XSS. El JavaScript se ejecuta cuando las víctimas visitan los informes o las páginas de auditlog.
Trend Micro Interscan Web Security Virtual Appliance (IWSVA) version 6.5 SP2 suffers from faulty access controls, stored cross site scripting, and information disclosure vulnerabilities
CVSS Scores
SSVC
- Decision:-
Timeline
- 2017-01-12 First Exploit
- 2017-02-26 CVE Reserved
- 2017-04-05 CVE Published
- 2023-03-08 EPSS Updated
- 2024-08-05 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
References (4)
URL | Tag | Source |
---|---|---|
http://www.securityfocus.com/bid/97487 | Third Party Advisory |
URL | Date | SRC |
---|---|---|
https://www.exploit-db.com/exploits/42013 | 2017-01-12 | |
https://www.qualys.com/2017/01/12/qsa-2017-01-12/qsa-2017-01-12.pdf | 2024-08-05 |
URL | Date | SRC |
---|---|---|
https://success.trendmicro.com/solution/1116960 | 2017-04-11 |
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Trendmicro Search vendor "Trendmicro" | Interscan Web Security Virtual Appliance Search vendor "Trendmicro" for product "Interscan Web Security Virtual Appliance" | <= 6.5 Search vendor "Trendmicro" for product "Interscan Web Security Virtual Appliance" and version " <= 6.5" | - |
Affected
|