Published: 05/04/2017 Updated: 11/04/2017

CVSS v2 Base Score: 3.5 | Impact Score: 2.9 | Exploitability Score: 6.8

CVSS v3 Base Score: 5.4 | Impact Score: 2.7 | Exploitability Score: 2.3

VMScore: 355

Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N

Trend Micro InterScan Web Security Virtual Appliance (IWSVA) 6.5 before CP 1746 does not sanitize a rest/commonlog/report/template name field, which allows a 'Reports Only' user to inject malicious JavaScript while creating a new report. Additionally, IWSVA implements incorrect access control that allows any authenticated, remote user (even with low privileges like 'Auditor') to create or modify reports, and consequently take advantage of this XSS vulnerability. The JavaScript is executed when victims visit reports or auditlog pages.

Vulnerable Product	Search on Vulmon	Subscribe to Product
trendmicro interscan web security virtual appliance

# Exploit Title: [Trend Micro Interscan Web Security Virtual Appliance (IWSVA) 65x Multiple Vulnerabilities] # Date: [12/01/2017] # Exploit Author: [SlidingWindow] , Twitter: @Kapil_Khot # Vendor Homepage: [wwwtrendmicrocom/us/enterprise/network-security/interscan-web-security/virtual-appliance/] # Version: [Tested on IWSVA 65-SP2 Crit ...

Trend Micro Interscan Web Security Virtual Appliance (IWSVA) version 65 SP2 suffers from faulty access controls, stored cross site scripting, and information disclosure vulnerabilities ...

CWE-79 https://www.qualys.com/2017/01/12/qsa-2017-01-12/qsa-2017-01-12.pdf https://success.trendmicro.com/solution/1116960 http://www.securityfocus.com/bid/97487 https://nvd.nist.gov https://www.exploit-db.com/exploits/42013/

CVE-2017-6340

Vulnerability Summary

Exploits

References

Vulmon Search

About

Products

Connect