CVE-2017-11394

EPSS 78.47%
Published 03.08.2017 15:29:00
Last modified 20.04.2025 01:37:25
Source security@trendmicro.com
Teams watchlist Login
Open Login

Proxy command injection vulnerability in Trend Micro OfficeScan 11 and XG (12) allows remote attackers to execute arbitrary code on vulnerable installations. The specific flaw can be exploited by parsing the T parameter within Proxy.php. Formerly ZDI-CAN-4544.

Affected products Warnungen 0 Metrics 3 CWE 1 References 7

Data is provided by the National Vulnerability Database (NVD)

Trendmicro ≫ Officescan Version11.0 Updatesp1

Trendmicro ≫ Officescan Version12.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	78.47%	0.99

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	10	10	10	AV:N/AC:L/Au:N/C:C/I:C/A:C

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

https://success.trendmicro.com/solution/1117769

Patch

Vendor Advisory

Mitigation

http://www.securityfocus.com/bid/100130

Third Party Advisory

VDB Entry

http://www.zerodayinitiative.com/advisories/ZDI-17-521

Third Party Advisory

VDB Entry

https://www.exploit-db.com/exploits/42971/

https://nvd.nist.gov/vuln/detail/CVE-2017-11394

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2017-11394

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2017-11394

EUVD