Description
Multiple cross-site scripting (XSS) vulnerabilities in Trend Micro ServerProtect for Linux 3.0 before CP 1531 allow remote attackers to inject arbitrary web script or HTML via the (1) S44, (2) S5, (3) S_action_fail, (4) S_ptn_update, (5) T113, (6) T114, (7) T115, (8) T117117, (9) T118, (10) T_action_fail, (11) T_ptn_update, (12) textarea, (13) textfield5, or (14) tmLastConfigFileModifiedDate parameter to notification.cgi.
References (5)
Core 5
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1038548
Patch, Vendor Advisory x_refsource_confirm
https://success.trendmicro.com/solution/1117411
Exploit, Technical Description, Third Party Advisory x_refsource_misc
https://www.coresecurity.com/advisories/trend-micro-serverprotect-multiple-vulnerabilities
Exploit, Mailing List, Third Party Advisory mailing-list
x_refsource_fulldisc
http://seclists.org/fulldisclosure/2017/May/91
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/142645/Trend-Micro-ServerProtect-Disclosure-CSRF-XSS.html
Scores
CVSS v3
6.1
EPSS
0.0124
EPSS Percentile
79.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (1)
trendmicro/serverprotect
3.0
Published
May 26, 2017
Tracked Since
Feb 18, 2026