CVE-2017-11394

Опубликовано: 03 авг. 2017

Источник: nvd

CVSS3: 9.8

CVSS2: 10

EPSS Высокий

Описание

Proxy command injection vulnerability in Trend Micro OfficeScan 11 and XG (12) allows remote attackers to execute arbitrary code on vulnerable installations. The specific flaw can be exploited by parsing the T parameter within Proxy.php. Formerly ZDI-CAN-4544.

Ссылки

http://www.securityfocus.com/bid/100130
Third Party Advisory
VDB Entry
http://www.zerodayinitiative.com/advisories/ZDI-17-521
Third Party Advisory
VDB Entry
https://success.trendmicro.com/solution/1117769
Mitigation
Patch
Vendor Advisory
https://www.exploit-db.com/exploits/42971/
http://www.securityfocus.com/bid/100130
Third Party Advisory
VDB Entry
http://www.zerodayinitiative.com/advisories/ZDI-17-521
Third Party Advisory
VDB Entry
https://success.trendmicro.com/solution/1117769
Mitigation
Patch
Vendor Advisory
https://www.exploit-db.com/exploits/42971/

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:trendmicro:officescan:11.0:sp1:*:*:*:*:*:*

cpe:2.3:a:trendmicro:officescan:12.0:*:*:*:*:*:*:*

EPSS

Процентиль: 99%

0.80666

Высокий

9.8 Critical

CVSS3

10 Critical

CVSS2

Дефекты

CWE-20

Связанные уязвимости

GHSA-2pxr-78xf-pr6j

CVSS3: 9.8

github

больше 3 лет назад

BDU:2017-01818

fstec

больше 8 лет назад

Уязвимость средства антивирусной защиты Trend Micro OfficeScan, позволяющая нарушителю выполнить произвольный код