The HTTP server in Trend Micro Password Manager allows remote web servers to execute arbitrary commands via the url parameter to (1) api/openUrlInDefaultBrowser or (2) api/showSB.
Max CVSS
10.0
EPSS Score
17.11%
Published
2016-04-12
Updated
2021-09-09

CVE-2016-7552

Public exploit
On the Trend Micro Threat Discovery Appliance 2.6.1062r1, directory traversal when processing a session_id cookie allows a remote, unauthenticated attacker to delete arbitrary files as root. This can be used to bypass authentication or cause a DoS.
Max CVSS
10.0
EPSS Score
96.71%
Published
2017-04-12
Updated
2017-04-17
Trend Micro ServerProtect for Linux 3.0 before CP 1531 allows attackers to write to arbitrary files and consequently execute arbitrary code with root privileges by leveraging failure to validate software updates.
Max CVSS
10.0
EPSS Score
0.88%
Published
2017-05-26
Updated
2021-09-09
Proxy command injection vulnerability in Trend Micro OfficeScan 11 and XG (12) allows remote attackers to execute arbitrary code on vulnerable installations. The specific flaw can be exploited by parsing the tr parameter within Proxy.php. Formerly ZDI-CAN-4543.
Max CVSS
10.0
EPSS Score
12.94%
Published
2017-08-03
Updated
2017-08-06

CVE-2017-11394

Public exploit
Proxy command injection vulnerability in Trend Micro OfficeScan 11 and XG (12) allows remote attackers to execute arbitrary code on vulnerable installations. The specific flaw can be exploited by parsing the T parameter within Proxy.php. Formerly ZDI-CAN-4544.
Max CVSS
10.0
EPSS Score
64.71%
Published
2017-08-03
Updated
2017-10-14
SQL Injection vulnerabilities in Trend Micro Mobile Security (Enterprise) versions before 9.7 Patch 3 allow remote attackers to execute arbitrary code on vulnerable installations.
Max CVSS
10.0
EPSS Score
63.94%
Published
2017-09-22
Updated
2017-09-29
A vulnerability in Trend Micro Maximum Security's (Consumer) 2018 (versions 12.0.1191 and below) User-Mode Hooking (UMH) driver could allow an attacker to create a specially crafted packet that could alter a vulnerable system in such a way that malicious code could be injected into other processes.
Max CVSS
10.0
EPSS Score
2.49%
Published
2018-07-06
Updated
2018-08-28
A SQL injection vulnerability in a Trend Micro Email Encryption Gateway 5.5 policy script could allow an attacker to execute SQL commands to upload and execute arbitrary code that may harm the target system.
Max CVSS
10.0
EPSS Score
0.41%
Published
2018-03-15
Updated
2018-04-04
A SQL injection vulnerability in an Trend Micro Email Encryption Gateway 5.5 edit policy script could allow an attacker to execute SQL commands to upload and execute arbitrary code that may harm the target system.
Max CVSS
10.0
EPSS Score
0.71%
Published
2018-03-15
Updated
2018-04-04
A vulnerability in Trend Micro Control Manager (versions 6.0 and 7.0) could allow an attacker to conduct a server-side request forgery (SSRF) attack on vulnerable installations.
Max CVSS
10.0
EPSS Score
0.17%
Published
2018-08-15
Updated
2020-12-08
A directory traversal vulnerability in Trend Micro Apex One, OfficeScan (11.0, XG) and Worry-Free Business Security (9.5, 10.0) may allow an attacker to bypass authentication and log on to an affected product's management console as a root user. The vulnerability does not require authentication.
Max CVSS
10.0
EPSS Score
0.27%
Published
2019-10-28
Updated
2019-11-05
A vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 SP2 could allow an attacker to manipulate system updates using a combination of CSRF bypass (CVE-2020-8461) and authentication bypass (CVE-2020-8464) to execute code as user root.
Max CVSS
10.0
EPSS Score
0.20%
Published
2020-12-17
Updated
2021-07-21
Trend Micro Apex One (2019), OfficeScan XG and Worry-Free Business Security (9.0, 9.5, 10.0) server contains a vulnerable service DLL file that could allow a remote attacker to execute arbitrary code on affected installations with SYSTEM level privileges. Authentication is not required to exploit this vulnerability.
Max CVSS
10.0
EPSS Score
2.94%
Published
2020-03-18
Updated
2021-07-21

CVE-2020-8599

Known exploited
Trend Micro Apex One (2019) and OfficeScan XG server contain a vulnerable EXE file that could allow a remote attacker to write arbitrary data to an arbitrary path on affected installations and bypass ROOT login. Authentication is not required to exploit this vulnerability.
Max CVSS
10.0
EPSS Score
18.09%
Published
2020-03-18
Updated
2022-07-12
CISA KEV Added
2021-11-03
A vulnerability in Trend Micro ServerProtect for Storage 6.0, ServerProtect for EMC Celerra 5.8, ServerProtect for Network Appliance Filers 5.8, and ServerProtect for Microsoft Windows / Novell Netware 5.8 could allow a remote attacker to bypass authentication on affected installations.
Max CVSS
10.0
EPSS Score
1.99%
Published
2021-09-29
Updated
2022-07-12
Remote Command Execution in com.trend.iwss.gui.servlet.ManagePatches in Trend Micro Interscan Web Security Virtual Appliance (IWSVA) version 6.5-SP2_Build_Linux_1707 and earlier allows authenticated, remote users with least privileges to run arbitrary commands on the system as root via Patch Update functionality. This was resolved in Version 6.5 CP 1737.
Max CVSS
9.9
EPSS Score
0.35%
Published
2017-02-21
Updated
2017-07-25
The web management console in Trend Micro OfficeScan 7.0 through 8.0, Worry-Free Business Security 5.0, and Client/Server/Messaging Suite 3.5 and 3.6 creates a random session token based only on the login time, which makes it easier for remote attackers to hijack sessions via brute-force attacks. NOTE: this can be leveraged for code execution through an unspecified "manipulation of the configuration."
Max CVSS
9.8
EPSS Score
10.95%
Published
2008-08-27
Updated
2024-02-14
SQL injection vulnerability in the authentication functionality in Trend Micro Email Encryption Gateway (TMEEG) 5.5 before build 1107 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
Max CVSS
9.8
EPSS Score
0.48%
Published
2016-05-05
Updated
2021-09-09

CVE-2016-7547

Public exploit
A command execution flaw on the Trend Micro Threat Discovery Appliance 2.6.1062r1 exists with the timezone parameter in the admin_sys_time.cgi interface.
Max CVSS
9.8
EPSS Score
11.09%
Published
2017-04-12
Updated
2017-04-17
Trend Micro Threat Discovery Appliance 2.6.1062r1 and earlier uses predictable session values, which allows remote attackers to bypass authentication by guessing the value.
Max CVSS
9.8
EPSS Score
4.15%
Published
2017-04-28
Updated
2017-05-10
Backup archives were found to be encrypted with a static password across different installations, which suggest the same password may be used in all virtual appliance instances of Trend Micro Deep Discovery Director 1.1.
Max CVSS
9.8
EPSS Score
0.24%
Published
2017-08-01
Updated
2017-08-07
A command injection vulnerability exists in Trend Micro Deep Discovery Director 1.1 that allows an attacker to restore accounts that can access the pre-configuration console.
Max CVSS
9.8
EPSS Score
0.18%
Published
2017-08-01
Updated
2019-10-03
SQL Injection in Trend Micro Control Manager 6.0 causes Remote Code Execution when executing opcode 0x1b07 due to lack of proper user input validation in cmdHandlerTVCSCommander.dll. Formerly ZDI-CAN-4560.
Max CVSS
9.8
EPSS Score
12.52%
Published
2017-08-02
Updated
2017-08-08
SQL Injection in Trend Micro Control Manager 6.0 causes Remote Code Execution when executing opcode 0x3b21 due to lack of proper user input validation in mdHandlerLicenseManager.dll. Formerly ZDI-CAN-4561.
Max CVSS
9.8
EPSS Score
12.52%
Published
2017-08-02
Updated
2017-08-08
SQL Injection in Trend Micro Control Manager 6.0 causes Remote Code Execution when executing opcode 0x6b1b due to lack of proper user input validation in cmdHandlerStatusMonitor.dll. Formerly ZDI-CAN-4545.
Max CVSS
9.8
EPSS Score
12.52%
Published
2017-08-02
Updated
2017-08-06
485 vulnerabilities found
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!