Trend Micro Control Manager AdHocQuery_Result XML External Entity Processing Information Disclosure Vulnerability

ID ZDI-17-099
Type zdi
Reporter Steven Seeley of Source Incite
Modified 2017-02-08T00:00:00


This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Trend Micro Control Manager. Authentication is required to exploit this vulnerability.

The specific flaw exists within AdHocQuery_Result.aspx. This page exhibits an XML external entity injection vulnerability. An attacker can leverage this vulnerability to disclose sensitive information under the context of NETWORKSERVICE.