Bird_banner_small4
Trend Micro Smart Protection Server wcs_bwlists_handler.php Command Injection
TSL ID TSL20170406-03
CVE ID(s) Not available.
Severity Moderate
Description

A remote command execution vulnerability exists in the wcs_bwlists_handler.php script of Trend Micro Smart Protection Server. The vulnerability is due to insufficient validation of user-supplied input.

A remote, authenticated attacker could exploit this vulnerability by providing crafted input to the vulnerable system. Successful exploitation could lead to arbitrary command execution under the security context of the webserv user.

Trend Micro has published the following advisory to address this issue:

https://success.trendmicro.com/solution/1117033

Affected Products
  • Trend Micro Smart Protection Server Version 3.0 before patch CP b1348
  • Trend Micro Smart Protection Server Version 3.1 before patch CP b1030
CVSS Score Base 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P):
  • Access vector is NETWORK
  • Access complexity is MEDIUM
  • Level of authentication required is SINGLE
  • Impact of this vulnerability on data confidentiality is PARTIAL
  • Impact of this vulnerability on data integrity is PARTIAL
  • Impact of this vulnerability on data availability is PARTIAL
Temporal 4.4 (E:U/RL:OF/RC:C):
  • The exploitability level of this vulnerability is UNPROVEN
  • The remediation level of this vulnerability is OFFICIAL FIX
  • The report confidence level of this vulnerability is CONFIRMED
Identifiers
ZDI
References https://success.trendmicro.com/solution/1117033
Related Threats