Trend Micro Officescan vulnerabilities

CVE-2021-25248 [MEDIUM] CWE-125 CVE-2021-25248: An out-of-bounds read information disclosure vulnerability in Trend Micro Apex One (on-prem and SaaS An out-of-bounds read information disclosure vulnerability in Trend Micro Apex One (on-prem and SaaS), OfficeScan XG SP1, and Worry-Free Business Security (10.0 SP1 and Services) could allow an attacker to disclose sensitive information about a named pipe. Please note: an attacker must first obtain the ability to execute low-privileged code on the t

CVE-2021-25235 [MEDIUM] CVE-2021-25235: An improper access control vulnerability in Trend Micro Apex One (on-prem and SaaS) and OfficeScan X An improper access control vulnerability in Trend Micro Apex One (on-prem and SaaS) and OfficeScan XG SP1 could allow an unauthenticated user to obtain information about a content inspection configuration file.

CVE-2021-25238 [MEDIUM] CVE-2021-25238: An improper access control information disclosure vulnerability in Trend Micro OfficeScan XG SP1 and An improper access control information disclosure vulnerability in Trend Micro OfficeScan XG SP1 and Worry-Free Business Security 10.0 SP1 could allow an unauthenticated user to obtain information about an agent's managing port.

CVE-2021-25242 [MEDIUM] CVE-2021-25242: An improper access control vulnerability in Trend Micro Apex One (on-prem and SaaS), OfficeScan XG S An improper access control vulnerability in Trend Micro Apex One (on-prem and SaaS), OfficeScan XG SP1, and Worry-Free Business Security 10.0 SP1 could allow an unauthenticated user to obtain version and build information.

CVE-2020-28583 [MEDIUM] CVE-2020-28583: An improper access control information disclosure vulnerability in Trend Micro Apex One and OfficeSc An improper access control information disclosure vulnerability in Trend Micro Apex One and OfficeScan XG SP1 could allow an unauthenticated user to connect to the product server and reveal version, build and patch information.

CVE-2020-28573 [MEDIUM] CVE-2020-28573: An improper access control information disclosure vulnerability in Trend Micro Apex One and OfficeSc An improper access control information disclosure vulnerability in Trend Micro Apex One and OfficeScan XG SP1 could allow an unauthenticated user to connect to the product server and reveal the total agents managed by the server.

CVE-2020-28577 [MEDIUM] CVE-2020-28577: An improper access control information disclosure vulnerability in Trend Micro Apex One and OfficeSc An improper access control information disclosure vulnerability in Trend Micro Apex One and OfficeScan XG SP1 could allow an unauthenticated user to connect to the product server and reveal server hostname and db names.

CVE-2020-28576 [MEDIUM] CVE-2020-28576: An improper access control information disclosure vulnerability in Trend Micro Apex One and OfficeSc An improper access control information disclosure vulnerability in Trend Micro Apex One and OfficeScan XG SP1 could allow an unauthenticated user to connect to the product server and reveal version and build information.

CVE-2020-28582 [MEDIUM] CVE-2020-28582: An improper access control information disclosure vulnerability in Trend Micro Apex One and OfficeSc An improper access control information disclosure vulnerability in Trend Micro Apex One and OfficeScan XG SP1 could allow an unauthenticated user to connect to the product server and reveal number of managed agents.

CVE-2020-24562 [HIGH] CVE-2020-24562: A vulnerability in Trend Micro OfficeScan XG SP1 on Microsoft Windows may allow an attacker to create a hard link to any file on the system, which the A vulnerability in Trend Micro OfficeScan XG SP1 on Microsoft Windows may allow an attacker to create a hard link to any file on the system, which then could be manipulated to gain a privilege escalation and code execution. An attacker must first obtain the ability to execute low-privileged code on the target

CVE-2020-24556 [HIGH] CWE-59 CVE-2020-24556: A vulnerability in Trend Micro Apex One, OfficeScan XG SP1, Worry-Free Business Security 10 SP1 and A vulnerability in Trend Micro Apex One, OfficeScan XG SP1, Worry-Free Business Security 10 SP1 and Worry-Free Business Security Services on Microsoft Windows may allow an attacker to create a hard link to any file on the system, which then could be manipulated to gain a privilege escalation and code execution. An attacker must first obtain the ability

CVE-2020-8607 [MEDIUM] CWE-20 CVE-2020-8607: An input validation vulnerability found in multiple Trend Micro products utilizing a particular vers An input validation vulnerability found in multiple Trend Micro products utilizing a particular version of a specific rootkit protection driver could allow an attacker in user-mode with administrator permissions to abuse the driver to modify a kernel address that may cause a system crash or potentially lead to code execution in kernel mode. An attacker

CVE-2019-18187 [HIGH] CWE-22 CVE-2019-18187: Trend Micro OfficeScan versions 11.0 and XG (12.0) could be exploited by an attacker utilizing a dir Trend Micro OfficeScan versions 11.0 and XG (12.0) could be exploited by an attacker utilizing a directory traversal vulnerability to extract files from an arbitrary zip file to a specific folder on the OfficeScan server, which could potentially lead to remote code execution (RCE). The remote process execution is bound to a web service account, which d

CVE-2019-9492 [HIGH] CWE-426 CVE-2019-9492: A DLL side-loading vulnerability in Trend Micro OfficeScan 11.0 SP1 and XG could allow an authentica A DLL side-loading vulnerability in Trend Micro OfficeScan 11.0 SP1 and XG could allow an authenticated attacker to gain code execution and terminate the product's process - disabling endpoint protection. The attacker must have already gained authentication and have local access to the vulnerable system.

CVE-2018-18332 [HIGH] CWE-732 CVE-2018-18332: A Trend Micro OfficeScan XG weak file permissions vulnerability may allow an attacker to potentially A Trend Micro OfficeScan XG weak file permissions vulnerability may allow an attacker to potentially manipulate permissions on some key files to modify other files and folders on vulnerable installations.

CVE-2018-18331 [HIGH] CWE-732 CVE-2018-18331: A Trend Micro OfficeScan XG weak file permissions vulnerability on a particular folder for a particu A Trend Micro OfficeScan XG weak file permissions vulnerability on a particular folder for a particular group may allow an attacker to alter the files, which could lead to other exploits on vulnerable installations.

CVE-2018-15364 [MEDIUM] CWE-200 CVE-2018-15364: A Named Pipe Request Processing Out-of-Bounds Read Information Disclosure vulnerability in Trend Mic A Named Pipe Request Processing Out-of-Bounds Read Information Disclosure vulnerability in Trend Micro OfficeScan XG (12.0) could allow a local attacker to disclose sensitive information on vulnerable installations. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit the vulnerability.

CVE-2018-10509 [HIGH] CVE-2018-10509: A vulnerability in Trend Micro OfficeScan 11.0 SP1 and XG could allow a attacker to exploit it via a A vulnerability in Trend Micro OfficeScan 11.0 SP1 and XG could allow a attacker to exploit it via a Browser Refresh attack on vulnerable installations. An attacker must be using a AD logon user account in order to exploit this vulnerability.

CVE-2018-10508 [HIGH] CVE-2018-10508: A vulnerability in Trend Micro OfficeScan 11.0 SP1 and XG could allow a attacker to use a specially A vulnerability in Trend Micro OfficeScan 11.0 SP1 and XG could allow a attacker to use a specially crafted URL to elevate account permissions on vulnerable installations. An attacker must already have at least guest privileges in order to exploit this vulnerability.

CVE-2018-10507 [MEDIUM] CVE-2018-10507: A vulnerability in Trend Micro OfficeScan 11.0 SP1 and XG could allow a attacker to take a series of A vulnerability in Trend Micro OfficeScan 11.0 SP1 and XG could allow a attacker to take a series of steps to bypass or render the OfficeScan Unauthorized Change Prevention inoperable on vulnerable installations. An attacker must already have administrator privileges in order to exploit this vulnerability.