Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2017-6340

Trend Micro InterScan Web Security Virtual Appliance (IWSVA) 6.5 before CP 1746 does not sanitize a rest/commonlog/report/template name field, which allows a 'Reports Only' user to inject malicious JavaScript while creating a new report. Additionally, IWSVA implements incorrect access control that allows any authenticated, remote user (even with low privileges like 'Auditor') to create or modify reports, and consequently take advantage of this XSS vulnerability. The JavaScript is executed when victims visit reports or auditlog pages.

Published

2017-04-05T16:59:00.270

Last Modified

2025-04-20T01:37:25.860

Status

Deferred

Source

[email protected]

Severity

CVSSv3.0: 5.4 (MEDIUM)

CVSSv2 Vector

AV:N/AC:M/Au:S/C:N/I:P/A:N

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: SINGLE
Confidentiality Impact: NONE
Integrity Impact: PARTIAL
Availability Impact: NONE

Exploitability Score

6.8

Impact Score

2.9

Weaknesses

Type: Primary
CWE-79

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	trendmicro	interscan_web_security_virtual_appliance	≤ 6.5	Yes

References

http://www.securityfocus.com/bid/97487 Third Party Advisory, VDB Entry ([email protected])
https://success.trendmicro.com/solution/1116960 Patch, Vendor Advisory ([email protected])
https://www.qualys.com/2017/01/12/qsa-2017-01-12/qsa-2017-01-12.pdf Exploit, Technical Description, Third Party Advisory ([email protected])
http://www.securityfocus.com/bid/97487 Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
https://success.trendmicro.com/solution/1116960 Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.qualys.com/2017/01/12/qsa-2017-01-12/qsa-2017-01-12.pdf Exploit, Technical Description, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)