CVE-2020-24560

CWE-295 — Improper Certificate Validation3 documents3 sources

Severity

7.5HIGH

EPSS

0.2%

top 55.26%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Trendmicro Antivirus\+ 2019 Trendmicro Internet Security 2019 Trendmicro Maximum Security 2019 +3 more

Timeline

PublishedSep 24

Latest updateMay 24

Description

An incomplete SSL server certification validation vulnerability in the Trend Micro Security 2019 (v15) consumer family of products could allow an attacker to combine this vulnerability with another attack to trick an affected client into downloading a malicious update instead of the expected one. CWE-295: Improper server certificate verification in the communication with the update server.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages6 packages

▶NVDtrendmicro/maximum_security_201915.0

▶NVDtrendmicro/premium_security_201915.0

▶NVDtrendmicro/internet_security_201915.0

▶CVEListV5trend_micro/trend_micro_security_(consumer)2019 (v15)

▶NVDtrendmicro/antivirus\+_201915.0

🔴Vulnerability Details

GHSA

GHSA-5gc2-xc6c-wh7r: An incomplete SSL server certification validation vulnerability in the Trend Micro Security 2019 (v15) consumer family of products could allow an atta↗2022-05-24

▶

CVEList

CVE-2020-24560: An incomplete SSL server certification validation vulnerability in the Trend Micro Security 2019 (v15) consumer family of products could allow an atta↗2020-09-24

▶