CVE-2016-6270

Name of the Vulnerable Software and Affected Versions Trend Micro Virtual Mobile Infrastructure versions prior to 5.1

Description The issue allows remote authenticated users to execute arbitrary commands via shell metacharacters in the password to "api/v1/cfg/oauth/save identify pfx/".

Recommendations For versions prior to 5.1, update to version 5.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the handle certificate function in /vmi/manager/engine/management/commands/apns worker.py until a patch is available. Avoid using shell metacharacters in the password parameter when accessing the "api/v1/cfg/oauth/save identify pfx/" endpoint.