CVE-2016-3987

Published: Apr 12, 2016Modified: May 6, 2026

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

The HTTP server in Trend Micro Password Manager allows remote web servers to execute arbitrary commands via the url parameter to (1) api/openUrlInDefaultBrowser or (2) api/showSB.

Affected (1)

Products: Trendmicro: Password Manager

Trendmicro

1 product

Password Manager

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Trendmicro Password Manager	All versions

Related CWEs

CWE-284

Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

References (10)

http://blog.trendmicro.com/information-on-reported-vulnerabilities-in-trend-micro-password-manager/

Source: cve@mitre.org

Vendor Advisory

http://packetstormsecurity.com/files/135222/TrendMicro-Node.js-HTTP-Server-Command-Execution.html

Source: cve@mitre.org

ExploitThird Party AdvisoryVDB Entry

http://www.securitytracker.com/id/1034662

Source: cve@mitre.org

Third Party AdvisoryVDB Entry

https://code.google.com/p/google-security-research/issues/detail?id=693

Source: cve@mitre.org

Third Party Advisory

https://www.exploit-db.com/exploits/39218/

Source: cve@mitre.org

ExploitThird Party AdvisoryVDB Entry

http://blog.trendmicro.com/information-on-reported-vulnerabilities-in-trend-micro-password-manager/