Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2016-9316 — Cross-site Scripting in Interscan WEB Security Virtual Appliance

CWE-79 — Cross-site Scripting4 documents4 sources

Severity

5.4MEDIUMNVD

EPSS

0.6%

top 29.83%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Trendmicro Interscan WEB Security Virtual Appliance

Timeline

PublishedFeb 21

Latest updateMay 17

Description

Multiple stored Cross-Site-Scripting (XSS) vulnerabilities in com.trend.iwss.gui.servlet.updateaccountadministration in Trend Micro InterScan Web Security Virtual Appliance (IWSVA) version 6.5-SP2_Build_Linux_1707 and earlier allow authenticated, remote users with least privileges to inject arbitrary HTML/JavaScript code into web pages. This was resolved in Version 6.5 CP 1737.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages1 packages

▶NVDtrendmicro/interscan_web_security_virtual_appliance6.5

Patches

Patch: success.trendmicro.com ↗Patch: success.trendmicro.com ↗

🔴Vulnerability Details

GHSA

GHSA-h5f5-c92q-m52p: Multiple stored Cross-Site-Scripting (XSS) vulnerabilities in com↗2022-05-17

▶

CVEList

CVE-2016-9316: Multiple stored Cross-Site-Scripting (XSS) vulnerabilities in com↗2017-02-21

▶

💥Exploits & PoCs

Exploit-DB

Trend Micro InterScan Web Security Virtual Appliance (IWSVA) 6.5 - Multiple Vulnerabilities↗2016-11-28

▶