CVE-2016-5840

Sažetak

hotfix_upload.cgi in Trend Micro Deep Discovery Inspector (DDI) 3.7, 3.8 SP1 (3.81), and 3.8 SP2 (3.82) allows remote administrators to execute arbitrary code via shell metacharacters in the filename parameter of the Content-Disposition header.

Reference

http://esupport.trendmicro.com/solution/en-US/1114281.aspx
http://jvn.jp/en/jp/JVN55428526/index.html
http://jvndb.jvn.jp/en/contents/2016/JVNDB-2016-000103.html
http://www.zerodayinitiative.com/advisories/ZDI-16-373
https://www.exploit-db.com/exploits/40180/

CVSS

Base:	9.0
Impact:	10.0
Exploitability:	8.0

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	SINGLE

Impact

Povjerljivost	Cjelovitost	Dostupnost
COMPLETE	COMPLETE	COMPLETE

CVSS vektor

AV:N/AC:L/Au:S/C:C/I:C/A:C

Zadnje važnije ažuriranje

28-11-2016 - 20:29

Objavljeno

30-06-2016 - 16:59