Trend Micro Control Manager AdHocQuery_SelectView XPATH Injection Information Disclosure Vulnerability

ID ZDI-16-461
Type zdi
Reporter k0rpr1t_z0mb1e
Modified 2016-06-22T00:00:00


This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Trend Micro Control Manager. Authentication is required to exploit this vulnerability. The specific flaw exists within AdHocQuery_SelectView.aspx. The issue lies in the failure to sanitize user-supplied input prior to executing an XML query. An attacker can use this information in conjunction with other vulnerabilities to execute code in the context of the process.