PT-2018-9842 · Trend Micro · Trend Micro Email Encryption Gateway

Steven Seeley

Published

2018-05-04

Updated

2018-06-22

CVE-2018-10356

CVSS v2.0

9.0

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions: Trend Micro Email Encryption Gateway version 5.5

Description: A SQL injection remote code execution issue exists due to a flaw in the formRequestDomains class, allowing an attacker to execute arbitrary SQL statements on vulnerable installations. Authentication is required to exploit this issue.

Recommendations: For Trend Micro Email Encryption Gateway version 5.5, consider disabling the formRequestDomains class as a temporary workaround until a patch is available. Restrict access to the vulnerable hidDomains functionality to minimize the risk of exploitation.

Fix

RCE

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2018-10356

ZDI-18-420

Affected Products

Trend Micro Email Encryption Gateway

PT-2018-9842 · Trend Micro · Trend Micro Email Encryption Gateway

CVE-2018-10356

Weakness Enumeration

Related Identifiers

Affected Products

References · 4