Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2016-5840


hotfix_upload.cgi in Trend Micro Deep Discovery Inspector (DDI) 3.7, 3.8 SP1 (3.81), and 3.8 SP2 (3.82) allows remote administrators to execute arbitrary code via shell metacharacters in the filename parameter of the Content-Disposition header.


Published

2016-06-30T16:59:11.120

Last Modified

2025-04-12T10:46:40.837

Status

Deferred

Source

[email protected]

Severity

CVSSv3.0: 7.2 (HIGH)

CVSSv2 Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

  • Access Vector: NETWORK
  • Access Complexity: LOW
  • Authentication: SINGLE
  • Confidentiality Impact: COMPLETE
  • Integrity Impact: COMPLETE
  • Availability Impact: COMPLETE
Exploitability Score

8.0

Impact Score

10.0

Weaknesses
  • Type: Primary
    CWE-20

Affected Vendors & Products
Type Vendor Product Version/Range Vulnerable?
Application trend_micro deep_discovery_inspector 3.7 Yes
Application trend_micro deep_discovery_inspector 3.81 Yes
Application trend_micro deep_discovery_inspector 3.82 Yes

References