Vulners
Lucene search
Trend Micro Deep Discovery 3.7.1096 Authentication Bypass / XSS Vulnerabilities
| Reporter | Title | Published | Views | Family All 19 |
|---|---|---|---|---|
 | Trend Micro Deep Discovery Inspector Authentication Bypass Vulnerability | 20 Aug 201500:00 | – | cnvd |
| Trend Micro Deep Discovery Inspector Cross-Site Scripting Vulnerability | 20 Aug 201500:00 | – | cnvd |
 | CVE-2015-2872 | 23 Aug 201515:00 | – | cve |
| CVE-2015-2873 | 23 Aug 201515:00 | – | cve |
 | CVE-2015-2872 | 23 Aug 201515:00 | – | cvelist |
| CVE-2015-2873 | 23 Aug 201515:00 | – | cvelist |
 | EUVD-2015-2960 | 7 Oct 202500:30 | – | euvd |
| EUVD-2015-2961 | 7 Oct 202500:30 | – | euvd |
 | CVE-2015-2872 | 23 Aug 201515:59 | – | nvd |
| CVE-2015-2873 | 23 Aug 201515:59 | – | nvd |
10
[+] Credits: John Page aka hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/TREND-MICRO-DDI-0818.txt
Vendor:
================================
www.trendmicro.com
Product:
===================================
Trend Micro Deep Discovery 3.7.1096
Vulnerability Type:
===================
Authentication Bypass
CVE Reference:
==============
CVE-2015-2873
Vulnerability Details:
===========================================================
http://esupport.trendmicro.com/solution/en-US/1112206.aspx
http://www.kb.cert.org/vuls/id/248692
Trend Micro Deep Discovery Threat Appliance version 3.7.1096
Certain Deep Discovery Inspector URLs including the system log and
whitelist/blacklist are accessible to a non-administrator user
because the pages do not properly check for authorization. An
unauthenticated user without administrator privileges may thus
gain access to and modify certain system configuration settings.
Several URLs, including the system log, whitelist, and blacklist,
are accessible to a non-administrator user by direct request.
The pages do not properly check for authorization.
Impact:
=======
An authenticated user without administrator privileges may access
and modify certain system configuration settings.
Description:
==========================================================
Request Method(s): [+] GET
Vulnerable Product: [+] Trend Micro Deep Discovery 3.7.1096
Vulnerable Parameter(s): [+] syslog, whitelist, blacklist
Affected Area(s): [+] Trend Micro Deep Discovery
Vulnerability Details:
==========================================================
http://esupport.trendmicro.com/solution/en-US/1112206.aspx
http://www.kb.cert.org/vuls/id/248692
Deep Discovery Inspector is vulnerable to XSS attacks that
could allow an unauthenticated user to execute malicious content.
On some legacy browsers like IE 7 with a low Security Level,
Deep Discovery Inspector is vulnerable to XSS that allows an
unauthenticated user to execute malicious content through the index.php
The widget implementation is vulnerable to XSS that allows an
unauthenticated user to execute malicious content.
Exploit code(s):
===============
https://localhost/widget/index.php?menuUrl=1&contentUrl='"%25;alert('XSS+By+hyp3rlinx+\nMarch+2015')//
# 0day.today [2018-01-09] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
20 Aug 2015 00:00Current
6.5Medium risk
Vulners AI Score6.5
EPSS0.02576