Published:2018/01/16 Last Updated:2018/01/16
JVNVU#91290407
Trend Micro Control Manager vulnerable to SQL injection
Overview
Trend Micro Control Manager contains multiple SQL injection vulnerabilities.
Products Affected
- Trend Micro Control Manager Version 6.0 prior to build 3506
Description
Trend Micro Control Manager contains multiple SQL injection vulnerabilities.
Impact
- An unauthenticated user may access and read files stored on the server
- A remote attacker may execute arbitrary code, escalate privilege or perform directory traversal attacks
- A remote attacker may cause SQL injection attacks and upload/execute arbitrary code
Solution
Apply the Patch
Apply the patch according to the information provided by the developer.
The developer has released Trend Micro Control Manager 6.0 Service Pack 3 Patch 2 Critical Patch (build 3506) to address these vulnerabilities.
Vendor Status
| Vendor | Link |
| Trend Micro Incorporated | SECURITY BULLETIN: Multiple Vulnerabilities in Trend Micro Control Manager (TMCM) 6.0 |
References
JPCERT/CC Addendum
This advisory refers to the vulnerabilities that are disclosed on the TippingPoint Zero Day Initiative advisories listed below.
| ZDI-17-180 | ZDI-17-181 | ZDI-17-182 | ZDI-17-183 | ZDI-17-184 | ZDI-17-185 | ZDI-17-186 |
Vulnerability Analysis by JPCERT/CC
Credit
Trend Micro Incorporated reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.