PT-2020-17020 · Trend Micro · Trend Micro Interscan Web Security Virtual Appliance

Published

2020-11-18

Updated

2020-11-28

CVE-2020-28580

CVSS v2.0

9.0

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Trend Micro InterScan Web Security Virtual Appliance version 6.5 SP2

Description A command injection issue in the AddVLANItem function could allow an authenticated, remote attacker to send specially crafted HTTP messages and execute arbitrary OS commands with elevated privileges.

Recommendations For Trend Micro InterScan Web Security Virtual Appliance version 6.5 SP2, consider restricting access to the AddVLANItem function until a patch is available. As a temporary workaround, limit the privileges of users who can send HTTP messages to the affected appliance to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

CVE-2020-28580

Affected Products

Trend Micro Interscan Web Security Virtual Appliance

PT-2020-17020 · Trend Micro · Trend Micro Interscan Web Security Virtual Appliance

CVE-2020-28580

Weakness Enumeration

Related Identifiers

Affected Products

References · 5