Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2017-6338 — Incorrect Permission Assignment in Interscan WEB Security Virtual Appliance

CWE-732 — Incorrect Permission Assignment5 documents4 sources

Severity

6.5MEDIUMNVD

EPSS

1.0%

top 22.83%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Trendmicro Interscan WEB Security Virtual Appliance

Timeline

PublishedApr 5

Latest updateMay 13

Description

Multiple Access Control issues in Trend Micro InterScan Web Security Virtual Appliance (IWSVA) 6.5 before CP 1746 allow an authenticated, remote user with low privileges like 'Reports Only' or 'Auditor' to change FTP Access Control Settings, create or modify reports, or upload an HTTPS Decryption Certificate and Private Key.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages1 packages

▶NVDtrendmicro/interscan_web_security_virtual_appliance6.5

Patches

Patch: success.trendmicro.com ↗Patch: success.trendmicro.com ↗

🔴Vulnerability Details

GHSA

GHSA-5wg6-2996-wxf8: Multiple Access Control issues in Trend Micro InterScan Web Security Virtual Appliance (IWSVA) 6↗2022-05-13

▶

CVEList

CVE-2017-6338: Multiple Access Control issues in Trend Micro InterScan Web Security Virtual Appliance (IWSVA) 6↗2017-04-05

▶

💥Exploits & PoCs

Exploit-DB

Microsoft Windows - Uniscribe Font Processing Heap Memory Corruption in 'USP10!otlCacheManager::GlyphsSubstituted' (MS17-011)↗2017-03-20

▶

Exploit-DB

Trend Micro InterScan Web Security Virtual Appliance (IWSVA) 6.5 SP2 - Multiple Vulnerabilities↗2017-01-12

▶