9.8

CVE-2008-2433

The web management console in Trend Micro OfficeScan 7.0 through 8.0, Worry-Free Business Security 5.0, and Client/Server/Messaging Suite 3.5 and 3.6 creates a random session token based only on the login time, which makes it easier for remote attackers to hijack sessions via brute-force attacks.  NOTE: this can be leveraged for code execution through an unspecified "manipulation of the configuration."
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 10.93% 0.953
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 7.5 10 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:P
CWE-330 Use of Insufficiently Random Values

The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.

http://secunia.com/advisories/31373
Patch
Vendor Advisory
Broken Link
http://secunia.com/secunia_research/2008-31/advisory/
Vendor Advisory
Broken Link
http://securityreason.com/securityalert/4191
Broken Link
http://www.securityfocus.com/archive/1/495670/100/0/threaded
Third Party Advisory
Broken Link
VDB Entry
http://www.securityfocus.com/bid/30792
Third Party Advisory
Broken Link
VDB Entry
http://www.securitytracker.com/id?1020732
Third Party Advisory
Broken Link
VDB Entry
http://www.trendmicro.com/ftp/documentation/readme/OSCE_8.0_SP1_Win_EN_CriticalPatch_B2402_readme.txt
Vendor Advisory
http://www.trendmicro.com/ftp/documentation/readme/Readme_WFBS5%200_EN_CriticalPatch1404.txt
Vendor Advisory
http://www.vupen.com/english/advisories/2008/2421
Broken Link
https://exchange.xforce.ibmcloud.com/vulnerabilities/44597
Third Party Advisory
VDB Entry