cbcvebase.
CVE-2017-7896
published 2017-04-18

CVE-2017-7896: Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) 9.1 before CP 1644 has XSS.

PriorityP338medium6.1CVSS 3.0
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
4.28%
89.9th percentile
Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) 9.1 before CP 1644 has XSS.

Affected

1 ranges
VendorProductVersion rangeFixed in
trendmicrointerscan_messaging_security_virtual_appliance<= 9.1

Detection & IOCsextracted from sources · hover to see the quote

port443
cookieJSESSIONID
pathdiagnostic.log
filenameProxy.php
pathmod TMCSS
  • Monitor HTTP requests to Proxy.php under the TMCSS module path for unsanitized parameters that may indicate command injection attempts.
  • Alert on unauthenticated HTTP GET/POST requests to diagnostic.log on the IMSVA management interface (TCP 443), as this file exposes JSESSIONID values enabling authentication bypass.
  • Detect exploitation chain: unauthenticated access to diagnostic.log followed by subsequent authenticated requests using a harvested JSESSIONID cookie to Proxy.php.
  • ·The vulnerability chain (auth bypass + RCE) is only exploitable against IMSVA 9.1 versions prior to CP 1644; patched versions are not affected.
  • ·The management interface must be network-accessible on TCP 443 for exploitation; restricting access to this port mitigates exposure.
  • ·The widget feature implemented in PHP is a prerequisite for the attack surface; the TMCSS module's Proxy.php must be present and accessible.

CVSS provenance

nvdv3.06.1MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.