Advisory Details

November 6th, 2014

Trend Micro InterScan Web Security Virtual Appliance Information Disclosure Vulnerability

CVE ID	CVE-2014-8510
CVSS SCORE	6.5, AV:N/AC:L/Au:S/C:P/I:P/A:P
AFFECTED VENDORS	Trend Micro
AFFECTED PRODUCTS	InterScan Web Security
TREND MICRO CUSTOMER PROTECTION	Trend Micro TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID ['13855']. For further product information on the TippingPoint IPS: http://www.tippingpoint.com
VULNERABILITY DETAILS	This vulnerability allows remote attackers to read files from the underlying operating system on vulnerable installations of Trend Micro InterScan Web Security Virtual Appliance web application authentication is required to exploit this vulnerability. The specific flaw exists within multiple areas of the AdminUI. The issue lies in the handling of configuration input due to a failure to safely sanitize user data before saving filters. An attacker could leverage this vulnerability to read any file to which the web app has read access.
ADDITIONAL DETAILS	Vendor has released a hotfix to address the issue: IWSVA 6.0 HF build 1244
DISCLOSURE TIMELINE	2014-06-12 - Vulnerability reported to vendor 2014-11-06 - Coordinated public release of advisory
CREDIT	Brandon Perry

BACK TO ADVISORIES