Trendmicro Interscan Web Security Virtual Appliance vulnerabilities

29 known vulnerabilities affecting trendmicro/interscan_web_security_virtual_appliance.

Total CVEs

29

CISA KEV

0

Public exploits

8

Exploited in wild

0

Severity breakdown

CRITICAL5HIGH12MEDIUM12

Vulnerabilities

Page 2 of 2

CVE-2017-6339MEDIUMCVSS 6.5PoC≤ 6.52017-04-05

CVE-2017-6339 [MEDIUM] CWE-269 CVE-2017-6339: Trend Micro InterScan Web Security Virtual Appliance (IWSVA) 6.5 before CP 1746 mismanages certain k Trend Micro InterScan Web Security Virtual Appliance (IWSVA) 6.5 before CP 1746 mismanages certain key and certificate data. Per IWSVA documentation, by default, IWSVA acts as a private Certificate Authority (CA) and dynamically generates digital certificates that are sent to client browsers to complete a secure passage for HTTPS connections. It also

CVE-2017-6340MEDIUMCVSS 5.4PoC≤ 6.52017-04-05

CVE-2017-6340 [MEDIUM] CWE-79 CVE-2017-6340: Trend Micro InterScan Web Security Virtual Appliance (IWSVA) 6.5 before CP 1746 does not sanitize a Trend Micro InterScan Web Security Virtual Appliance (IWSVA) 6.5 before CP 1746 does not sanitize a rest/commonlog/report/template name field, which allows a 'Reports Only' user to inject malicious JavaScript while creating a new report. Additionally, IWSVA implements incorrect access control that allows any authenticated, remote user (even with low pri

CVE-2017-6338MEDIUMCVSS 6.5PoC≤ 6.52017-04-05

CVE-2017-6338 [MEDIUM] CWE-732 CVE-2017-6338: Multiple Access Control issues in Trend Micro InterScan Web Security Virtual Appliance (IWSVA) 6.5 b Multiple Access Control issues in Trend Micro InterScan Web Security Virtual Appliance (IWSVA) 6.5 before CP 1746 allow an authenticated, remote user with low privileges like 'Reports Only' or 'Auditor' to change FTP Access Control Settings, create or modify reports, or upload an HTTPS Decryption Certificate and Private Key.

CVE-2016-9269CRITICALCVSS 9.9PoC≤ 6.52017-02-21

CVE-2016-9269 [CRITICAL] CWE-264 CVE-2016-9269: Remote Command Execution in com.trend.iwss.gui.servlet.ManagePatches in Trend Micro Interscan Web Se Remote Command Execution in com.trend.iwss.gui.servlet.ManagePatches in Trend Micro Interscan Web Security Virtual Appliance (IWSVA) version 6.5-SP2_Build_Linux_1707 and earlier allows authenticated, remote users with least privileges to run arbitrary commands on the system as root via Patch Update functionality. This was resolved in Version 6.5 CP

CVE-2016-9315HIGHCVSS 8.8PoC≤ 6.52017-02-21

CVE-2016-9315 [HIGH] CWE-264 CVE-2016-9315: Privilege Escalation Vulnerability in com.trend.iwss.gui.servlet.updateaccountadministration in Tren Privilege Escalation Vulnerability in com.trend.iwss.gui.servlet.updateaccountadministration in Trend Micro InterScan Web Security Virtual Appliance (IWSVA) version 6.5-SP2_Build_Linux_1707 and earlier allows authenticated, remote users with least privileges to change Master Admin's password and/or add new admin accounts. This was resolved in Version 6.

CVE-2016-9314HIGHCVSS 7.8PoC≤ 6.52017-02-21

CVE-2016-9314 [HIGH] CWE-200 CVE-2016-9314: Sensitive Information Disclosure in com.trend.iwss.gui.servlet.ConfigBackup in Trend Micro InterScan Sensitive Information Disclosure in com.trend.iwss.gui.servlet.ConfigBackup in Trend Micro InterScan Web Security Virtual Appliance (IWSVA) version 6.5-SP2_Build_Linux_1707 and earlier allows authenticated, remote users with least privileges to backup the system configuration and download it onto their local machine. This backup file contains sensitive

CVE-2016-9316MEDIUMCVSS 5.4PoC≤ 6.52017-02-21

CVE-2016-9316 [MEDIUM] CWE-79 CVE-2016-9316: Multiple stored Cross-Site-Scripting (XSS) vulnerabilities in com.trend.iwss.gui.servlet.updateaccou Multiple stored Cross-Site-Scripting (XSS) vulnerabilities in com.trend.iwss.gui.servlet.updateaccountadministration in Trend Micro InterScan Web Security Virtual Appliance (IWSVA) version 6.5-SP2_Build_Linux_1707 and earlier allow authenticated, remote users with least privileges to inject arbitrary HTML/JavaScript code into web pages. This was resolv

CVE-2014-8510MEDIUMCVSS 4.0v5.1v5.5+2 more2014-11-07

CVE-2014-8510 [MEDIUM] CWE-20 CVE-2014-8510: The AdminUI in Trend Micro InterScan Web Security Virtual Appliance (IWSVA) before 6.0 HF build 1244 The AdminUI in Trend Micro InterScan Web Security Virtual Appliance (IWSVA) before 6.0 HF build 1244 allows remote authenticated users to read arbitrary files via vectors related to configuration input when saving filters.

CVE-2009-0612MEDIUMCVSS 4.3v3.12009-02-17

CVE-2009-0612 [MEDIUM] CWE-200 CVE-2009-0612: Trend Micro InterScan Web Security Virtual Appliance (IWSVA) 3.x and InterScan Web Security Suite (I Trend Micro InterScan Web Security Virtual Appliance (IWSVA) 3.x and InterScan Web Security Suite (IWSS) 3.x, when basic authorization is enabled on the standalone proxy, forwards the Proxy-Authorization header from Windows Media Player, which allows remote web servers to obtain credentials by offering a media stream and then capturing this header.

← Previous2 / 2