CVE-2017-6338

MEDIUM

Trendmicro Interscan Web Security Vir... - Incorrect Permission Assignment

Title source: rule

Description

Multiple Access Control issues in Trend Micro InterScan Web Security Virtual Appliance (IWSVA) 6.5 before CP 1746 allow an authenticated, remote user with low privileges like 'Reports Only' or 'Auditor' to change FTP Access Control Settings, create or modify reports, or upload an HTTPS Decryption Certificate and Private Key.

Exploits (1)

exploitdb WORKING POC

webappshardware

https://www.exploit-db.com/exploits/42013

View on exploitdb

References (3)

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/97482

[Patch, Vendor Advisory] https://success.trendmicro.com/solution/1116960

[Exploit, Technical Description, Third Party Advisory] https://www.qualys.com/2017/01/12/qsa-2017-01-12/qsa-2017-01-12.pdf

Scores

CVSS v3 6.5

EPSS 0.0101

EPSS Percentile 76.9%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Classification

CWE

CWE-732

Status published

Affected Products (2)

trendmicro/interscan_web_security_virtual_appliance < 6.5

n/a/n/a

Timeline

Published Apr 05, 2017

Tracked Since Feb 18, 2026