Trend Micro InterScan Web Security Virtual Appliance CVE-2017-6340 HTML Injection Vulnerability

Trend Micro InterScan Web Security Virtual Appliance (IWSVA) is prone to an HTML-injection vulnerability because it fails to sanitize user-supplied input.

Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible.

Trend Micro InterScan Web Security Virtual Appliance (IWSVA) 6.5 is vulnerable.

Information

Bugtraq ID: 97487
Class: Input Validation Error
CVE: CVE-2017-6340

Remote: Yes
Local: No
Published: Apr 05 2017 12:00AM
Credit: Steven Seeley, Kapil Khot, and Steffen Ulrich
Vulnerable: Trend Micro InterScan Web Security Virtual Appliance 6.5-SP2 CP 1739
Trend Micro InterScan Web Security Virtual Appliance 6.5 SP2 CP Build 162
Trend Micro InterScan Web Security Virtual Appliance 6.5 SP2
Trend Micro InterScan Web Security Virtual Appliance 6.5 CP 1737
Trend Micro InterScan Web Security Virtual Appliance 6.5

Not Vulnerable: Trend Micro InterScan Web Security Virtual Appliance 6.5 CP 1746

Exploit

An attacker can exploit this issue using a web browser.

References:

Multiple Vulnerabilities in Trend Micro Interscan Web Security Virtual Appliance (Qualys)
Trend Micro Homepage (Trend Micro)
Trend Micro InterScan Web Security Virtual Appliance (IWSVA) 6.5 Multiple Vulner (Trend Micro)

Source: www.securityfocus.com

Exploit Collector

Search Exploit