Vulnerability Note VU#950795
Trend Micro Control Manager adhoc query vulnerability
Trend Micro Control Manager fails to properly filter user-supplied input within the ad hoc query module which could allow an attacker to upload and execute arbitrary code against the system.
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Trend Micro Control Manager does not properly filter user-supplied input within the ad hoc query module. The successful exploitation of this vulnerability could potentially result in arbitrary SQL command input to the backend database. A remote attacker can execute SQL commands to upload and execute arbitrary code against the system.
An attacker with access to the Trend Micro Control Manager web interface can conduct a sql injection attack, which could be used to result in information leakage, arbitrary code execution and/or denial of service.
The vendor has stated that these vulnerabilities have been addressed in Trend Micro Control Manager version 5.5 and 6.0 critical patches.
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Trend Micro||Affected||03 Aug 2012||21 Sep 2012|
CVSS Metrics (Learn More)
Thanks to Tom Gregory for reporting this vulnerability.
This document was written by Michael Orlando.
- CVE IDs: CVE-2012-2998
- Date Public: 20 Sep 2012
- Date First Published: 27 Sep 2012
- Date Last Updated: 27 Sep 2012
- Document Revision: 18
If you have feedback, comments, or additional information about this vulnerability, please send us email.