Published:2020/08/25  Last Updated:2020/08/25

JVNVU#98542645
Multiple vulnerabilities in InterScan Web Security Virtual Appliance (IWSVA)

Overview

InterScan Web Security Virtual Appliance (IWSVA) provided by Trend Micro Incorporated contains multiple vulnerabilities.

Products Affected

  • InterScan Web Security Virtual Appliance (IWSVA)  Version 6.5

Description

  • Cross-site scripting (CWE-79) - CVE-2020-8603
    CVSS v3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score: 6.1
  • Directory traversal (CWE-22) - CVE-2020-8604
    CVSS v3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H Base Score: 7.5
  • OS command injection (CWE-78) - CVE-2020-8605
    CVSS v3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Base Score: 8.8
  • Improper authentication (CWE-287) - CVE-2020-8606
    CVSS v3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H Base Score: 9.8

Impact

  • An arbitrary script may be executed on the logged in user's web browser - CVE-2020-8603
  • A local file on the server may be obtained and/or altered by a remote attacker - CVE-2020-8604
  • An arbitrary code may be executed by an authenticated remote attacker - CVE-2020-8605
  • A remote attacker may bypass authentication and access part of the application as an admin if the proxy is set to a certain port - CVE-2020-8606

Solution

Apply the Patch
Apply the appropriate patch according to the information provided by the developer.

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Incorporated reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2020-8603
CVE-2020-8604
CVE-2020-8605
CVE-2020-8606
JVN iPedia