TrendMicro Apex One

An agent link vulnerability in the Trend Micro Apex One security agent could

CVE-2023-47192 7.8 - High - January 23, 2024

An agent link vulnerability in the Trend Micro Apex One security agent could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

insecure temporary file

A security agent link following vulnerability in Trend Micro Apex One could

CVE-2023-52092 7.8 - High - January 23, 2024

A security agent link following vulnerability in Trend Micro Apex One could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

insecure temporary file

An anti-spyware engine link following vulnerability in Trend Micro Apex One could

CVE-2023-52091 7.8 - High - January 23, 2024

An anti-spyware engine link following vulnerability in Trend Micro Apex One could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

insecure temporary file

A security agent link following vulnerability in Trend Micro Apex One could

CVE-2023-52090 7.8 - High - January 23, 2024

A security agent link following vulnerability in Trend Micro Apex One could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

insecure temporary file

A local file inclusion vulnerability on the Trend Micro Apex One management server could

CVE-2023-47202 7.8 - High - January 23, 2024

A local file inclusion vulnerability on the Trend Micro Apex One management server could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

A plug-in manager origin validation vulnerability in the Trend Micro Apex One security agent could

CVE-2023-47201 7.8 - High - January 23, 2024

A plug-in manager origin validation vulnerability in the Trend Micro Apex One security agent could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This vulnerability is similar to, but not identical to, CVE-2023-47200.

A cross-site scripting vulnerability in Trend Micro Apex Central could

CVE-2023-52330 6.1 - Medium - January 23, 2024

A cross-site scripting vulnerability in Trend Micro Apex Central could allow a remote attacker to execute arbitrary code on affected installations of Trend Micro Apex Central. Please note: user interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

XSS

An exposed dangerous function vulnerability in the Trend Micro Apex One agent could

CVE-2023-52093 7.8 - High - January 23, 2024

An exposed dangerous function vulnerability in the Trend Micro Apex One agent could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

An updater link following vulnerability in the Trend Micro Apex One agent could

CVE-2023-52094 7.8 - High - January 23, 2024

An updater link following vulnerability in the Trend Micro Apex One agent could allow a local attacker to abuse the updater to delete an arbitrary folder, leading for a local privilege escalation on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

insecure temporary file

A plug-in manager origin validation vulnerability in the Trend Micro Apex One security agent could

CVE-2023-47200 7.8 - High - January 23, 2024

A plug-in manager origin validation vulnerability in the Trend Micro Apex One security agent could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This vulnerability is similar to, but not identical to, CVE-2023-47201.

Origin Validation Error

An origin validation vulnerability in the Trend Micro Apex One security agent could

CVE-2023-47199 7.8 - High - January 23, 2024

An origin validation vulnerability in the Trend Micro Apex One security agent could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This vulnerability is similar to, but not identical to, CVE-2023-47193.

Origin Validation Error

An origin validation vulnerability in the Trend Micro Apex One security agent could

CVE-2023-47198 7.8 - High - January 23, 2024

An origin validation vulnerability in the Trend Micro Apex One security agent could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This vulnerability is similar to, but not identical to, CVE-2023-47199.

Origin Validation Error

An origin validation vulnerability in the Trend Micro Apex One security agent could

CVE-2023-47197 7.8 - High - January 23, 2024

An origin validation vulnerability in the Trend Micro Apex One security agent could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This vulnerability is similar to, but not identical to, CVE-2023-47198.

Origin Validation Error

An origin validation vulnerability in the Trend Micro Apex One security agent could

CVE-2023-47196 7.8 - High - January 23, 2024

An origin validation vulnerability in the Trend Micro Apex One security agent could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This vulnerability is similar to, but not identical to, CVE-2023-47197.

Origin Validation Error

An origin validation vulnerability in the Trend Micro Apex One security agent could

CVE-2023-47195 7.8 - High - January 23, 2024

An origin validation vulnerability in the Trend Micro Apex One security agent could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This vulnerability is similar to, but not identical to, CVE-2023-47196.

Origin Validation Error

An origin validation vulnerability in the Trend Micro Apex One security agent could

CVE-2023-47194 7.8 - High - January 23, 2024

An origin validation vulnerability in the Trend Micro Apex One security agent could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This vulnerability is similar to, but not identical to, CVE-2023-47195.

Origin Validation Error

An origin validation vulnerability in the Trend Micro Apex One security agent could

CVE-2023-47193 7.8 - High - January 23, 2024

An origin validation vulnerability in the Trend Micro Apex One security agent could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This vulnerability is similar to, but not identical to, CVE-2023-47194.

Origin Validation Error

A file upload vulnerability in exists in Trend Micro Apex One server build 11110

CVE-2023-0587 9.1 - Critical - February 01, 2023

A file upload vulnerability in exists in Trend Micro Apex One server build 11110. Using a malformed Content-Length header in an HTTP PUT message sent to URL /officescan/console/html/cgi/fcgiOfcDDA.exe, an unauthenticated remote attacker can upload arbitrary files to the SampleSubmission directory (i.e., \PCCSRV\TEMP\SampleSubmission) on the server. The attacker can upload a large number of large files to fill up the file system on which the Apex One server is installed.

Unrestricted File Upload

Affected builds of Trend Micro Apex One and Apex One as a Service contain a monitor engine component

CVE-2022-44654 7.5 - High - December 12, 2022

Affected builds of Trend Micro Apex One and Apex One as a Service contain a monitor engine component that is complied without the /SAFESEH memory protection mechanism which helps to monitor for malicious payloads. The affected component's memory protection mechanism has been updated to enhance product security.

A Time-of-Check Time-Of-Use vulnerability in the Trend Micro Apex One and Apex One as a Service agent could

CVE-2022-44651 7 - High - December 12, 2022

A Time-of-Check Time-Of-Use vulnerability in the Trend Micro Apex One and Apex One as a Service agent could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

TOCTTOU

An improper handling of exceptional conditions vulnerability in Trend Micro Apex One and Apex One as a Service could

CVE-2022-44652 7.8 - High - December 12, 2022

An improper handling of exceptional conditions vulnerability in Trend Micro Apex One and Apex One as a Service could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

Improper Handling of Exceptional Conditions

A security agent directory traversal vulnerability in Trend Micro Apex One and Apex One as a Service could

CVE-2022-44653 7.8 - High - December 12, 2022

A security agent directory traversal vulnerability in Trend Micro Apex One and Apex One as a Service could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

Directory traversal

An arbitrary file upload vulnerability in Trend Micro Apex Central could

CVE-2022-26871 9.8 - Critical - March 29, 2022

An arbitrary file upload vulnerability in Trend Micro Apex Central could allow an unauthenticated remote attacker to upload an arbitrary file which could lead to remote code execution.

Insufficient Verification of Data Authenticity

A stack-based buffer overflow vulnerability in Trend Micro Apex One, Apex One as a Service and Worry-Free Business Security 10.0 SP1 could

CVE-2021-42012 7.8 - High - October 21, 2021

A stack-based buffer overflow vulnerability in Trend Micro Apex One, Apex One as a Service and Worry-Free Business Security 10.0 SP1 could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

Memory Corruption

An incorrect permission assignment privilege escalation vulnerability in Trend Micro Apex One, Apex One as a Service and Worry-Free Business Security Services could

CVE-2021-32464 7.8 - High - August 04, 2021

An incorrect permission assignment privilege escalation vulnerability in Trend Micro Apex One, Apex One as a Service and Worry-Free Business Security Services could allow an attacker to modify a specific script before it is executed. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

Incorrect Default Permissions

An incorrect permission preservation vulnerability in Trend Micro Apex One, Apex One as a Service and OfficeScan XG SP1 could

CVE-2021-32465 8.8 - High - August 04, 2021

An incorrect permission preservation vulnerability in Trend Micro Apex One, Apex One as a Service and OfficeScan XG SP1 could allow a remote user to perform an attack and bypass authentication on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

Improper Preservation of Permissions

An insecure file permissions vulnerability in Trend Micro Apex One, Apex One as a Service and OfficeScan XG SP1 could

CVE-2021-28646 5.5 - Medium - April 13, 2021

An insecure file permissions vulnerability in Trend Micro Apex One, Apex One as a Service and OfficeScan XG SP1 could allow a local attacker to take control of a specific log file on affected installations.

Incorrect Permission Assignment for Critical Resource

An incorrect permission assignment vulnerability in Trend Micro Apex One, Apex One as a Service and OfficeScan XG SP1 could

CVE-2021-28645 7.8 - High - April 13, 2021

An incorrect permission assignment vulnerability in Trend Micro Apex One, Apex One as a Service and OfficeScan XG SP1 could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

Incorrect Permission Assignment for Critical Resource

An improper access control vulnerability in Trend Micro Apex One, Trend Micro Apex One as a Service and OfficeScan XG SP1 on a resource used by the service could

CVE-2021-25253 7.8 - High - April 13, 2021

An improper access control vulnerability in Trend Micro Apex One, Trend Micro Apex One as a Service and OfficeScan XG SP1 on a resource used by the service could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

Improper Privilege Management

An improper access control vulnerability in Trend Micro Apex One, Trend Micro Apex One as a Service and OfficeScan XG SP1 on a sensitive file could

CVE-2021-25250 7.8 - High - April 13, 2021

An improper access control vulnerability in Trend Micro Apex One, Trend Micro Apex One as a Service and OfficeScan XG SP1 on a sensitive file could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

Improper Privilege Management

An improper access control vulnerability in Trend Micro Apex One (on-prem and SaaS), OfficeScan XG SP1, and Worry-Free Business Security 10.0 SP1 could

CVE-2021-25228 5.3 - Medium - February 04, 2021

An improper access control vulnerability in Trend Micro Apex One (on-prem and SaaS), OfficeScan XG SP1, and Worry-Free Business Security 10.0 SP1 could allow an unauthenticated user to obtain information about hotfix history.

AuthZ

An improper access control vulnerability in Trend Micro Apex One (on-prem and SaaS) and OfficeScan XG SP1 could

CVE-2021-25229 5.3 - Medium - February 04, 2021

An improper access control vulnerability in Trend Micro Apex One (on-prem and SaaS) and OfficeScan XG SP1 could allow an unauthenticated user to obtain information about the database server.

AuthZ

An improper access control information disclosure vulnerability in Trend Micro Apex One, Apex One as a Service, OfficeScan XG SP1, and Worry-Free Business Security could allow an unauthenticated user to create a bogus agent on an affected server

CVE-2021-25246 6.5 - Medium - February 04, 2021

An improper access control information disclosure vulnerability in Trend Micro Apex One, Apex One as a Service, OfficeScan XG SP1, and Worry-Free Business Security could allow an unauthenticated user to create a bogus agent on an affected server that could be used then make valid configuration queries.

AuthZ

An improper access control information disclosure vulnerability in Trend Micro Apex One and OfficeScan XG SP1 could

CVE-2020-28583 5.3 - Medium - December 01, 2020

An improper access control information disclosure vulnerability in Trend Micro Apex One and OfficeScan XG SP1 could allow an unauthenticated user to connect to the product server and reveal version, build and patch information.

Information Disclosure

An improper access control information disclosure vulnerability in Trend Micro Apex One and OfficeScan XG SP1 could

CVE-2020-28582 5.3 - Medium - December 01, 2020

An improper access control information disclosure vulnerability in Trend Micro Apex One and OfficeScan XG SP1 could allow an unauthenticated user to connect to the product server and reveal number of managed agents.

Information Disclosure

An improper access control information disclosure vulnerability in Trend Micro Apex One and OfficeScan XG SP1 could

CVE-2020-28577 5.3 - Medium - December 01, 2020

An improper access control information disclosure vulnerability in Trend Micro Apex One and OfficeScan XG SP1 could allow an unauthenticated user to connect to the product server and reveal server hostname and db names.

Information Disclosure

An improper access control information disclosure vulnerability in Trend Micro Apex One and OfficeScan XG SP1 could

CVE-2020-28576 5.3 - Medium - December 01, 2020

An improper access control information disclosure vulnerability in Trend Micro Apex One and OfficeScan XG SP1 could allow an unauthenticated user to connect to the product server and reveal version and build information.

Information Disclosure

An improper access control information disclosure vulnerability in Trend Micro Apex One and OfficeScan XG SP1 could

CVE-2020-28573 5.3 - Medium - December 01, 2020

An improper access control information disclosure vulnerability in Trend Micro Apex One and OfficeScan XG SP1 could allow an unauthenticated user to connect to the product server and reveal the total agents managed by the server.

Information Disclosure

A migration tool component of Trend Micro Apex One (2019) and OfficeScan XG contains a vulnerability which could

CVE-2020-8467 8.8 - High - March 18, 2020

A migration tool component of Trend Micro Apex One (2019) and OfficeScan XG contains a vulnerability which could allow remote attackers to execute arbitrary code on affected installations (RCE). An attempted attack requires user authentication.

Trend Micro Apex One (2019) and OfficeScan XG server contain a vulnerable EXE file

CVE-2020-8599 9.8 - Critical - March 18, 2020

Trend Micro Apex One (2019) and OfficeScan XG server contain a vulnerable EXE file that could allow a remote attacker to write arbitrary data to an arbitrary path on affected installations and bypass ROOT login. Authentication is not required to exploit this vulnerability.

Trend Micro Apex One (2019), OfficeScan XG and Worry-Free Business Security (9.0, 9.5, 10.0) server contains a vulnerable service DLL file

CVE-2020-8598 9.8 - Critical - March 18, 2020

Trend Micro Apex One (2019), OfficeScan XG and Worry-Free Business Security (9.0, 9.5, 10.0) server contains a vulnerable service DLL file that could allow a remote attacker to execute arbitrary code on affected installations with SYSTEM level privileges. Authentication is not required to exploit this vulnerability.

Improper Input Validation

Trend Micro Apex One (2019), OfficeScan XG and Worry-Free Business Security (9.0, 9.5, 10.0) server contains a vulnerable service DLL file

CVE-2020-8470 7.5 - High - March 18, 2020

Trend Micro Apex One (2019), OfficeScan XG and Worry-Free Business Security (9.0, 9.5, 10.0) server contains a vulnerable service DLL file that could allow an attacker to delete any file on the server with SYSTEM level privileges. Authentication is not required to exploit this vulnerability.

Improper Input Validation

Trend Micro Apex One (2019), OfficeScan XG and Worry-Free Business Security (9.0, 9.5, 10.0) agents are affected by a content validation escape vulnerability which could

CVE-2020-8468 8.8 - High - March 18, 2020

Trend Micro Apex One (2019), OfficeScan XG and Worry-Free Business Security (9.0, 9.5, 10.0) agents are affected by a content validation escape vulnerability which could allow an attacker to manipulate certain agent client components. An attempted attack requires user authentication.

Injection

A directory traversal vulnerability in Trend Micro Apex One, OfficeScan (11.0, XG) and Worry-Free Business Security (9.5, 10.0) may

CVE-2019-18189 9.8 - Critical - October 28, 2019

A directory traversal vulnerability in Trend Micro Apex One, OfficeScan (11.0, XG) and Worry-Free Business Security (9.5, 10.0) may allow an attacker to bypass authentication and log on to an affected product's management console as a root user. The vulnerability does not require authentication.

Directory traversal