Trend Micro InterScan Web Security Virtual Appliance (IWSVA) 6.5 before CP 1746 does not sanitize a rest/commonlog/report/template name field, which allows a 'Reports Only' user to inject malicious JavaScript while creating a new report. Additionally, IWSVA implements incorrect access control that allows any authenticated, remote user (even with low privileges like 'Auditor') to create or modify reports, and consequently take advantage of this XSS vulnerability. The JavaScript is executed when victims visit reports or auditlog pages.
References
| Link | Resource |
|---|---|
| http://www.securityfocus.com/bid/97487 | Third Party Advisory VDB Entry |
| https://success.trendmicro.com/solution/1116960 | Patch Vendor Advisory |
| https://www.qualys.com/2017/01/12/qsa-2017-01-12/qsa-2017-01-12.pdf | Exploit Technical Description Third Party Advisory |
| http://www.securityfocus.com/bid/97487 | Third Party Advisory VDB Entry |
| https://success.trendmicro.com/solution/1116960 | Patch Vendor Advisory |
| https://www.qualys.com/2017/01/12/qsa-2017-01-12/qsa-2017-01-12.pdf | Exploit Technical Description Third Party Advisory |
Configurations
Configuration 1 (hide)
|
History
21 Nov 2024, 03:29
| Type | Values Removed | Values Added |
|---|---|---|
| References | () http://www.securityfocus.com/bid/97487 - Third Party Advisory, VDB Entry | |
| References | () https://success.trendmicro.com/solution/1116960 - Patch, Vendor Advisory | |
| References | () https://www.qualys.com/2017/01/12/qsa-2017-01-12/qsa-2017-01-12.pdf - Exploit, Technical Description, Third Party Advisory |
Information
Published : 2017-04-05 16:59
Updated : 2024-11-21 03:29
NVD link : CVE-2017-6340
Mitre link : CVE-2017-6340
CVE.ORG link : CVE-2017-6340
JSON object : View
Products Affected
trendmicro
- interscan_web_security_virtual_appliance
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')