Bird_banner_small4
Trend Micro Mobile Security Enterprise get_dep_profile id SQL Injection
TSL ID TSL20170915-05
CVE ID(s) CVE-2017-14078
Severity High
Description

An SQL injection vulnerability exists in Trend Micro Mobile Security Enterprise. The vulnerability is due to insufficient validation of the id request parameter with get_dep_profile action.

A remote authenticated attacker could exploit this vulnerability by sending a crafted request to the target server. Successful exploitation of this vulnerability can lead to remote code execution in the context of SYSTEM.

The vendor, Trend Micro, has released the following advisory regarding these vulnerabilities:

https://success.trendmicro.com/solution/1118224

Affected Products
  • Trend Micro Mobile Security (Enterprise) prior to 9.7 Patch 3 (b2406)
CVSS Score Base 8.5 (AV:N/AC:M/Au:S/C:C/I:C/A:C):
  • Access vector is NETWORK
  • Access complexity is MEDIUM
  • Level of authentication required is SINGLE
  • Impact of this vulnerability on data confidentiality is COMPLETE
  • Impact of this vulnerability on data integrity is COMPLETE
  • Impact of this vulnerability on data availability is COMPLETE
Temporal 6.3 (E:U/RL:OF/RC:C):
  • The exploitability level of this vulnerability is UNPROVEN
  • The remediation level of this vulnerability is OFFICIAL FIX
  • The report confidence level of this vulnerability is CONFIRMED
Identifiers
ZDI
References https://success.trendmicro.com/solution/1118224
Related Threats