CVE-2020-8468

Warning

EPSS 5.03%
Published 18.03.2020 01:15:12
Last modified 13.02.2025 14:28:17
Source security@trendmicro.com
Teams watchlist Login
Open Login

Trend Micro Apex One (2019), OfficeScan XG and Worry-Free Business Security (9.0, 9.5, 10.0) agents are affected by a content validation escape vulnerability which could allow an attacker to manipulate certain agent client components. An attempted attack requires user authentication.

Affected products Warnungen 1 Metrics 4 CWE 1 References 7

Data is provided by the National Vulnerability Database (NVD)

Trendmicro ≫ Apex One Version2019

Trendmicro ≫ Officescan Versionxg

Trendmicro ≫ Officescan Versionxg Updatesp1

Trendmicro ≫ Worry-free Business Security Version9.0 Updatesp3

Trendmicro ≫ Worry-free Business Security Version9.5

Trendmicro ≫ Worry-free Business Security Version10.0 Update-

Trendmicro ≫ Worry-free Business Security Version10.0 Updatesp1

03.11.2021: CISA Known Exploited Vulnerabilities (KEV) Catalog

Trend Micro Multiple Products Content Validation Escape Vulnerability

Vulnerability

Trend Micro Apex One, OfficeScan, and Worry-Free Business Security agents contain a content validation escape vulnerability that could allow an attacker to manipulate certain agent client components.

Description

Apply updates per vendor instructions.

Required actions

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	5.03%	0.893

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	6.5	8	6.4	AV:N/AC:L/Au:S/C:P/I:P/A:P
134c704f-9b21-4f2e-91b3-4a467353bcc0	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

https://success.trendmicro.com/jp/solution/000244253

Patch

Vendor Advisory

https://success.trendmicro.com/solution/000245571

Patch

Vendor Advisory

https://success.trendmicro.com/jp/solution/000244836

Patch

Vendor Advisory

https://success.trendmicro.com/solution/000245572

Patch

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2020-8468

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2020-8468

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2020-8468

EUVD