CVE-2017-6340

Published: Apr 5, 2017Modified: May 13, 2026

5.4

Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.3 / Impact: 2.7

Source: NVD

Description

Trend Micro InterScan Web Security Virtual Appliance (IWSVA) 6.5 before CP 1746 does not sanitize a rest/commonlog/report/template name field, which allows a 'Reports Only' user to inject malicious JavaScript while creating a new report. Additionally, IWSVA implements incorrect access control that allows any authenticated, remote user (even with low privileges like 'Auditor') to create or modify reports, and consequently take advantage of this XSS vulnerability. The JavaScript is executed when victims visit reports or auditlog pages.

Affected (1)

Products: Trendmicro: Interscan Web Security Virtual Appliance

1 product

Interscan Web Security Virtual Appliance

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Trendmicro Interscan Web Security Virtual Appliance	Up to 6.5

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (6)

http://www.securityfocus.com/bid/97487

Source: cve@mitre.org

Third Party AdvisoryVDB Entry

https://success.trendmicro.com/solution/1116960

Source: cve@mitre.org

PatchVendor Advisory

https://www.qualys.com/2017/01/12/qsa-2017-01-12/qsa-2017-01-12.pdf

Source: cve@mitre.org

ExploitTechnical DescriptionThird Party Advisory

http://www.securityfocus.com/bid/97487

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

https://success.trendmicro.com/solution/1116960

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

https://www.qualys.com/2017/01/12/qsa-2017-01-12/qsa-2017-01-12.pdf

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitTechnical DescriptionThird Party Advisory

Timeline

No history available yet.