CVE-2016-3987

CRITICAL

Trend Micro Password Manager - Command Injection

Title source: llm

Description

The HTTP server in Trend Micro Password Manager allows remote web servers to execute arbitrary commands via the url parameter to (1) api/openUrlInDefaultBrowser or (2) api/showSB.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Google Security Research · htmlremotewindows

https://www.exploit-db.com/exploits/39218

View Code ZIP pw:eip

References (5)

[Vendor Advisory] http://blog.trendmicro.com/information-on-reported-vulnerabilities-in-trend-micro-password-manager/

[Exploit, Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/135222/TrendMicro-Node.js-HTTP-Server-Command-Execution.html

[Third Party Advisory, VDB Entry] http://www.securitytracker.com/id/1034662

[Third Party Advisory] https://code.google.com/p/google-security-research/issues/detail?id=693

[Exploit, Third Party Advisory, VDB Entry] https://www.exploit-db.com/exploits/39218/

Scores

CVSS v3 9.8

EPSS 0.4315

EPSS Percentile 97.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-284

Status published

Products (1)

trendmicro/password_manager

Published Apr 12, 2016

Tracked Since Feb 18, 2026