CVE-2017-6340 Information

Feb 14, 2021 cve

Description

Trend Micro InterScan Web Security Virtual Appliance (IWSVA) 6.5 before CP 1746 does not sanitize a rest/commonlog/report/template name field which allows a ‘Reports Only’ user to inject malicious JavaScript while creating a new report. Additionally IWSVA implements incorrect access control that allows any authenticated remote user (even with low privileges like ‘Auditor’) to create or modify reports and consequently take advantage of this XSS vulnerability. The JavaScript is executed when victims visit reports or auditlog pages.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Reference

http://www.securityfocus.com/bid/97487 https://success.trendmicro.com/solution/1116960 https://www.qualys.com/2017/01/12/qsa-2017-01-12/qsa-2017-01-12.pdf

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

REQUIRED

Confidentiality Impact

CHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

NONE

Base Severity

5.4

Share on: