Bird_banner_small4
Trend Micro Control Manager download.php Information Disclosure
TSL ID TSL20170209-07
CVE ID(s) Not available.
Severity High
Description

An information disclosure vulnerability exists in Trend Micro Control Manager. The vulnerability is due to security misconfiguration which allows access to the unreferenced download.php file, which in turn allow reading of the arbitrary files.

A remote, unauthenticated attacker can exploit this vulnerability by sending a malicious HTTP request to the target system. Successful exploitation could result in an arbitrary file read from the target server.

The vendor has released the following advisory regarding this issue:

https://success.trendmicro.com/solution/1116624

Affected Products
  • Trend Micro Control Manager prior to Version 6.0 build 3444
CVSS Score Base 7.8 (AV:N/AC:L/Au:N/C:C/I:N/A:N):
  • Access vector is NETWORK
  • Access complexity is LOW
  • Level of authentication required is NONE
  • Impact of this vulnerability on data confidentiality is COMPLETE
  • Impact of this vulnerability on data integrity is NONE
  • Impact of this vulnerability on data availability is NONE
Temporal 5.8 (E:U/RL:OF/RC:C):
  • The exploitability level of this vulnerability is UNPROVEN
  • The remediation level of this vulnerability is OFFICIAL FIX
  • The report confidence level of this vulnerability is CONFIRMED
Identifiers
ZDI
References https://success.trendmicro.com/solution/1116624
Related Threats