CVE-2016-7547 - A command execution flaw on the Trend Micro Threat Discovery Appliance 2.6.1062r1 exists with the ti

CVE-2016-7547

Summary

A command execution flaw on the Trend Micro Threat Discovery Appliance 2.6.1062r1 exists with the timezone parameter in the admin_sys_time.cgi interface.

References

Vulnerable Configurations

cpe:2.3:a:trendmicro:threat_discovery_appliance:2.6.1062:r1:*:*:*:*:*:*
cpe:2.3:a:trendmicro:threat_discovery_appliance:2.6.1062:r1:*:*:*:*:*:*

CVSS

Base:	7.5 (as of 17-04-2017 - 15:44)
Impact:
Exploitability:

CWE

CWE-361

CAPEC

Session Fixation
The attacker induces a client to establish a session with the target software using a session identifier provided by the attacker. Once the user successfully authenticates to the target software, the attacker uses the (now privileged) session identifier in their own transactions. This attack leverages the fact that the target software either relies on client-generated session identifiers or maintains the same session identifiers after privilege elevation.

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

cvss-vector via4

AV:N/AC:L/Au:N/C:P/I:P/A:P

refmap via4

bid	97610
misc	https://github.com/rapid7/metasploit-framework/pull/8216/commits/0f07875a2ddb0bfbb4e985ab074e9fc56da1dcf6

Last major update

17-04-2017 - 15:44

Published

12-04-2017 - 10:59

Last modified

17-04-2017 - 15:44