Lucene search
Steven Seeley (mr_me) of Source InciteZDI-18-413HistoryMay 04, 2018 - 12:00 a.m.
Trend Micro Encryption for Email Gateway editPolicy editRuleId SQL Injection Information Disclosure Vulnerability
2018-05-0400:00:00
Steven Seeley (mr_me) of Source Incite
www.zerodayinitiative.com
8
0.007 Low
EPSS
Percentile
80.6%
This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Trend Micro Encryption for Email Gateway. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the formEditPolicy class. When parsing the editRuleId parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of root.
References
Related
prion
prion
Sql injection
2018-03-15 19:29:00
nvd
nvd
CVE-2018-6229
2018-03-15 19:29:01
cve
cve
CVE-2018-6229
2018-03-15 19:29:01
zdi
zdi
cvelist
cvelist
CVE-2018-6229
2018-03-15 19:00:00
coresecurity
coresecurity
Trend Micro Email Encryption Gateway Multiple Vulnerabilities
2018-02-21 00:00:00
zdt
zdt
packetstorm
packetstorm
Trend Micro Email Encryption Gateway XSS / Code Execution
2018-02-21 00:00:00
exploitpack
exploitpack
exploitdb
exploitdb