Public Advisories
Some of our responsibly disclosed 0-day exploitsCommand Injection
ZDI-16-348: Trend Micro InterScan Web Security ManagePatches filename Remote Code Execution Vulnerability
CVE-2016-5840: Trend Micro Deep Discovery hotfix_upload.cgi filename Remote Code Execution Vulnerability
SQL Injection
CVE-2015- 6004: What’s Up Gold “Find Device” search field does not properly neutralize user input (SQL injection)
ZDI-16- 455: Trend Micro Control Manager cgiCMUIDispatcher SQL Injection Remote Code Execution Vulnerability
ZDI-16- 456: Trend Micro Control Manager AdHocQuery_CustomProfiles SQL Injection Remote Code Execution Vulnerability
Local File Disclosure (LFD)
otx.alienvault.com Local File Disclosure
External XML Entity (XXE)
ZDI-16- 457: Trend Micro Control Manager TreeUserControl_process_tree_event External Entity Processing Information Disclosure Vulnerability
ZDI-16- 458: Trend Micro Control Manager ProductTree External Entity Processing Information Disclosure Vulnerability
ZDI-16- 459: Trend Micro Control Manager DeploymentPlan_Event_Handler External Entity Processing Information Disclosure Vulnerability
CVE-2017-6323: Symantec Management Console Multiple XXE prior to ITMS 8.1 RU1 ITMS 8.0_POST_HF6 & ITMS 7.6_POST_HF7
Persistent Cross Site Scripting (XSS)
CVE-2015- 6005: Improper Neutralization of Script-Related HTML Tags in What’s Up Gold
CVE-2017-6322: Symantec Management Console Multiple XSS prior to ITMS 8.1 RU1, ITMS 8.0_POST_HF6 & ITMS 7.6_POST_HF7
Reflected Cross Site Scripting (XSS)
CVE-2017-6322: Symantec Management Console Multiple XSS prior to ITMS 8.1 RU1, ITMS 8.0_POST_HF6 & ITMS 7.6_POST_HF7
XPATH Injection
ZDI-16- 460: Trend Micro Control Manager AdHocQuery_SelectView XPATH Injection Information Disclosure Vulnerability
ZDI-16- 461: Trend Micro Control Manager AdHocQuery_SelectView XPATH Injection Information Disclosure Vulnerability (Second one)