CVE-2017-11392

Published: Aug 3, 2017Modified: May 13, 2026

8.8

Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

Proxy command injection vulnerability in Trend Micro InterScan Messaging Virtual Appliance 9.0 and 9.1 allows remote attackers to execute arbitrary code on vulnerable installations. The specific flaw can be exploited by parsing the "T" parameter within modTMCSS Proxy. Formerly ZDI-CAN-4745.

Affected (2)

Products: Trendmicro: Interscan Messaging Security Virtual Appliance

1 product

Interscan Messaging Security Virtual Appliance

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Trendmicro Interscan Messaging Security Virtual Appliance	Version 9.0
Trendmicro Interscan Messaging Security Virtual Appliance	Version 9.1

Related CWEs

Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

References (6)

http://www.securityfocus.com/bid/100075

Source: security@trendmicro.com

http://www.zerodayinitiative.com/advisories/ZDI-17-504

Source: security@trendmicro.com

Third Party AdvisoryVDB Entry

https://success.trendmicro.com/solution/1117723

Source: security@trendmicro.com

Vendor Advisory

http://www.securityfocus.com/bid/100075

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.zerodayinitiative.com/advisories/ZDI-17-504

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

https://success.trendmicro.com/solution/1117723

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.