CVE-2017-6340

Name of the Vulnerable Software and Affected Versions Trend Micro InterScan Web Security Virtual Appliance (IWSVA) versions 6.5 before CP 1746

Description The issue concerns a lack of sanitization in a report/template name field, allowing a user with 'Reports Only' access to inject malicious JavaScript when creating a new report. Furthermore, incorrect access control allows any authenticated, remote user, including those with low privileges like 'Auditor', to create or modify reports and exploit this issue. The injected JavaScript is executed when victims visit reports or audit log pages.

Recommendations For Trend Micro InterScan Web Security Virtual Appliance (IWSVA) versions 6.5 before CP 1746, update to a version that includes CP 1746 or later to resolve the issue.