CVE-2020-27017

Published: Nov 9, 2020Modified: Nov 21, 2024

4.9

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Exploitability: 1.2 / Impact: 3.6

Source: NVD

Description

Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) 9.1 is vulnerable to an XML External Entity Processing (XXE) vulnerability which could allow an authenticated administrator to read arbitrary local files. An attacker must already have obtained product administrator/root privileges to exploit this vulnerability.

Affected (1)

Products: Trendmicro: Interscan Messaging Security Virtual Appliance

1 product

Interscan Messaging Security Virtual Appliance

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Trendmicro Interscan Messaging Security Virtual Appliance	Up to 9.1

Running on/with	Platform Versions
Microsoft Windows	All versions

Related CWEs

Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

References (4)

https://sec-consult.com/en/blog/advisories/vulnerabilities-in-trend-micro-interscan-messaging-security-virtual-appliance-imsva/

Source: security@trendmicro.com

ExploitThird Party Advisory

https://success.trendmicro.com/solution/000279833

Source: security@trendmicro.com

ExploitVendor Advisory

https://sec-consult.com/en/blog/advisories/vulnerabilities-in-trend-micro-interscan-messaging-security-virtual-appliance-imsva/

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

https://success.trendmicro.com/solution/000279833

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitVendor Advisory

Timeline

No history available yet.