Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2019-18188

Trend Micro Apex One could be exploited by an attacker utilizing a command injection vulnerability to extract files from an arbitrary zip file to a specific folder on the Apex One server, which could potentially lead to remote code execution (RCE). The remote process execution is bound to the IUSR account, which has restricted permission and is unable to make major system changes. An attempted attack requires user authentication.

Published

2019-10-28T20:15:11.080

Last Modified

2024-11-21T04:32:47.540

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.5 (HIGH)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:P/I:N/A:N

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: NONE
Availability Impact: NONE

Exploitability Score

10.0

Impact Score

2.9

Weaknesses

Type: Primary
CWE-77

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	trendmicro	apex_one	2019	Yes
Operating System	microsoft	windows	-	No

References

https://success.trendmicro.com/solution/000151731 Vendor Advisory ([email protected])
https://success.trendmicro.com/solution/000151731 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)