These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2016-9316 covers multiple stored cross-site scripting (XSS) flaws in Trend Micro InterScan Web Security Virtual Appliance (IWSVA). Authenticated remote users with least privileges could inject arbitrary HTML or JavaScript into web pages through the com.trend.iwss.gui.servlet.updateaccountadministration component. Trend Micro states the issue was resolved in Version 6.5 CP 1737.
CVE-2016-9315 is a high-severity privilege-escalation issue in Trend Micro InterScan Web Security Virtual Appliance (IWSVA). According to the CVE record, an authenticated remote user with least privileges could change the Master Admin password and/or add new administrator accounts. NVD lists the vulnerable range as IWSVA version 6.5 and earlier, and Trend Micro’s referenced fix is Version 6.5 CP 1737.
CVE-2016-9314 is a sensitive information disclosure issue in Trend Micro InterScan Web Security Virtual Appliance (IWSVA). According to the NVD record and Trend Micro’s advisory, an authenticated remote user with least privileges could use the ConfigBackup servlet to back up the system configuration and download it locally, exposing sensitive data such as passwd/shadow files, RSA certificates, private key [truncated]
CVE-2016-9269 is a critical remote command execution vulnerability in Trend Micro InterScan Web Security Virtual Appliance (IWSVA). According to the CVE description, authenticated remote users with the least privileges can run arbitrary commands on the system as root through the Patch Update functionality. The issue affects version 6.5-SP2_Build_Linux_1707 and earlier and was resolved in Version 6.5 CP 1737.
CVE-2016-6270 is a high-severity authenticated command-injection issue in Trend Micro Virtual Mobile Infrastructure (VMI) before 5.1. According to the CVE description, the handle_certificate function in /vmi/manager/engine/management/commands/apns_worker.py can be abused through shell metacharacters in the password supplied to api/v1/cfg/oauth/save_identify_pfx/, enabling arbitrary command execution by a [truncated]
CVE-2016-6269 is a critical Trend Micro Smart Protection Server vulnerability involving multiple directory traversal flaws. The issue affects Smart Protection Server 2.5 before build 2200, 2.6 before build 2106, and 3.0 before build 1330. According to the published vulnerability description, a remote attacker can use the tmpfname parameter in several log management handlers, and the tf parameter in wcs_bw [truncated]
CVE-2016-6268 is a high-severity Trend Micro Smart Protection Server flaw that can let a local webserv user execute arbitrary code with root privileges. The vulnerable builds listed in the NVD record are Smart Protection Server 2.5 before build 2200, 2.6 before build 2106, and 3.0 before build 1330. The issue is tied to a Trojan horse .war file placed in the Solr webapps directory, and the NVD CVSS vector [truncated]
CVE-2016-6267 describes an authenticated command injection issue in Trend Micro Smart Protection Server’s SnmpUtils handling for admin_notification.php. If an attacker can authenticate to the product, shell metacharacters in specific parameters may be used to execute arbitrary commands on affected systems.
CVE-2016-6266 is a high-severity authenticated remote command execution vulnerability in Trend Micro Smart Protection Server. The issue affects Smart Protection Server 2.5 before build 2200, 2.6 before build 2106, and 3.0 before build 1330. According to the NVD description, shell metacharacters in multiple parameters handled by cccca_ajaxhandler.php can let a remote authenticated user execute arbitrary commands.