Published:2020/08/25 Last Updated:2020/08/25
JVNVU#98542645
Multiple vulnerabilities in InterScan Web Security Virtual Appliance (IWSVA)
Overview
InterScan Web Security Virtual Appliance (IWSVA) provided by Trend Micro Incorporated contains multiple vulnerabilities.
Products Affected
- InterScan Web Security Virtual Appliance (IWSVA) Version 6.5
Description
- Cross-site scripting (CWE-79) - CVE-2020-8603
CVSS v3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score: 6.1 - Directory traversal (CWE-22) - CVE-2020-8604
CVSS v3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H Base Score: 7.5 - OS command injection (CWE-78) - CVE-2020-8605
CVSS v3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Base Score: 8.8 - Improper authentication (CWE-287) - CVE-2020-8606
CVSS v3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H Base Score: 9.8
Impact
- An arbitrary script may be executed on the logged in user's web browser - CVE-2020-8603
- A local file on the server may be obtained and/or altered by a remote attacker - CVE-2020-8604
- An arbitrary code may be executed by an authenticated remote attacker - CVE-2020-8605
- A remote attacker may bypass authentication and access part of the application as an admin if the proxy is set to a certain port - CVE-2020-8606
Solution
Apply the Patch
Apply the appropriate patch according to the information provided by the developer.
Vendor Status
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Incorporated reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2020-8603 |
|
CVE-2020-8604 |
|
|
CVE-2020-8605 |
|
|
CVE-2020-8606 |
|
| JVN iPedia |
|