TrendMicro Officescan

An incorrect permission assignment privilege escalation vulnerability in Trend Micro Apex One, Apex One as a Service and Worry-Free Business Security Services could

CVE-2021-32464 7.8 - High - August 04, 2021

An incorrect permission assignment privilege escalation vulnerability in Trend Micro Apex One, Apex One as a Service and Worry-Free Business Security Services could allow an attacker to modify a specific script before it is executed. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

Incorrect Default Permissions

An incorrect permission preservation vulnerability in Trend Micro Apex One, Apex One as a Service and OfficeScan XG SP1 could

CVE-2021-32465 8.8 - High - August 04, 2021

An incorrect permission preservation vulnerability in Trend Micro Apex One, Apex One as a Service and OfficeScan XG SP1 could allow a remote user to perform an attack and bypass authentication on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

Improper Preservation of Permissions

An improper input validation vulnerability in Trend Micro Apex One, Apex One as a Service, OfficeScan XG, and Worry-Free Business Security 10.0 SP1

CVE-2021-36741 8.8 - High - July 29, 2021

An improper input validation vulnerability in Trend Micro Apex One, Apex One as a Service, OfficeScan XG, and Worry-Free Business Security 10.0 SP1 allows a remote attached to upload arbitrary files on affected installations. Please note: an attacker must first obtain the ability to logon to the product?s management console in order to exploit this vulnerability.

Improper Input Validation

A improper input validation vulnerability in Trend Micro Apex One, Apex One as a Service, OfficeScan XG and Worry-Free Business Security 10.0 SP1

CVE-2021-36742 7.8 - High - July 29, 2021

A improper input validation vulnerability in Trend Micro Apex One, Apex One as a Service, OfficeScan XG and Worry-Free Business Security 10.0 SP1 allows a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

Improper Input Validation

An insecure file permissions vulnerability in Trend Micro Apex One, Apex One as a Service and OfficeScan XG SP1 could

CVE-2021-28646 5.5 - Medium - April 13, 2021

An insecure file permissions vulnerability in Trend Micro Apex One, Apex One as a Service and OfficeScan XG SP1 could allow a local attacker to take control of a specific log file on affected installations.

Incorrect Permission Assignment for Critical Resource

An incorrect permission assignment vulnerability in Trend Micro Apex One, Apex One as a Service and OfficeScan XG SP1 could

CVE-2021-28645 7.8 - High - April 13, 2021

An incorrect permission assignment vulnerability in Trend Micro Apex One, Apex One as a Service and OfficeScan XG SP1 could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

Incorrect Permission Assignment for Critical Resource

An improper access control vulnerability in Trend Micro Apex One, Trend Micro Apex One as a Service and OfficeScan XG SP1 on a resource used by the service could

CVE-2021-25253 7.8 - High - April 13, 2021

An improper access control vulnerability in Trend Micro Apex One, Trend Micro Apex One as a Service and OfficeScan XG SP1 on a resource used by the service could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

Improper Privilege Management

An improper access control vulnerability in Trend Micro Apex One, Trend Micro Apex One as a Service and OfficeScan XG SP1 on a sensitive file could

CVE-2021-25250 7.8 - High - April 13, 2021

An improper access control vulnerability in Trend Micro Apex One, Trend Micro Apex One as a Service and OfficeScan XG SP1 on a sensitive file could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

Improper Privilege Management

An improper access control information disclosure vulnerability in Trend Micro Apex One, Apex One as a Service, OfficeScan XG SP1, and Worry-Free Business Security could allow an unauthenticated user to create a bogus agent on an affected server

CVE-2021-25246 6.5 - Medium - February 04, 2021

An improper access control information disclosure vulnerability in Trend Micro Apex One, Apex One as a Service, OfficeScan XG SP1, and Worry-Free Business Security could allow an unauthenticated user to create a bogus agent on an affected server that could be used then make valid configuration queries.

AuthZ

An improper access control vulnerability in Trend Micro Apex One (on-prem and SaaS) and OfficeScan XG SP1 could

CVE-2021-25229 5.3 - Medium - February 04, 2021

An improper access control vulnerability in Trend Micro Apex One (on-prem and SaaS) and OfficeScan XG SP1 could allow an unauthenticated user to obtain information about the database server.

AuthZ

An improper access control vulnerability in Trend Micro Apex One (on-prem and SaaS), OfficeScan XG SP1, and Worry-Free Business Security 10.0 SP1 could

CVE-2021-25228 5.3 - Medium - February 04, 2021

An improper access control vulnerability in Trend Micro Apex One (on-prem and SaaS), OfficeScan XG SP1, and Worry-Free Business Security 10.0 SP1 could allow an unauthenticated user to obtain information about hotfix history.

AuthZ

An improper access control information disclosure vulnerability in Trend Micro Apex One and OfficeScan XG SP1 could

CVE-2020-28573 5.3 - Medium - December 01, 2020

An improper access control information disclosure vulnerability in Trend Micro Apex One and OfficeScan XG SP1 could allow an unauthenticated user to connect to the product server and reveal the total agents managed by the server.

Information Disclosure

An improper access control information disclosure vulnerability in Trend Micro Apex One and OfficeScan XG SP1 could

CVE-2020-28583 5.3 - Medium - December 01, 2020

An improper access control information disclosure vulnerability in Trend Micro Apex One and OfficeScan XG SP1 could allow an unauthenticated user to connect to the product server and reveal version, build and patch information.

Information Disclosure

An improper access control information disclosure vulnerability in Trend Micro Apex One and OfficeScan XG SP1 could

CVE-2020-28582 5.3 - Medium - December 01, 2020

An improper access control information disclosure vulnerability in Trend Micro Apex One and OfficeScan XG SP1 could allow an unauthenticated user to connect to the product server and reveal number of managed agents.

Information Disclosure

An improper access control information disclosure vulnerability in Trend Micro Apex One and OfficeScan XG SP1 could

CVE-2020-28577 5.3 - Medium - December 01, 2020

An improper access control information disclosure vulnerability in Trend Micro Apex One and OfficeScan XG SP1 could allow an unauthenticated user to connect to the product server and reveal server hostname and db names.

Information Disclosure

An improper access control information disclosure vulnerability in Trend Micro Apex One and OfficeScan XG SP1 could

CVE-2020-28576 5.3 - Medium - December 01, 2020

An improper access control information disclosure vulnerability in Trend Micro Apex One and OfficeScan XG SP1 could allow an unauthenticated user to connect to the product server and reveal version and build information.

Information Disclosure

Trend Micro Apex One (2019) and OfficeScan XG server contain a vulnerable EXE file

CVE-2020-8599 9.8 - Critical - March 18, 2020

Trend Micro Apex One (2019) and OfficeScan XG server contain a vulnerable EXE file that could allow a remote attacker to write arbitrary data to an arbitrary path on affected installations and bypass ROOT login. Authentication is not required to exploit this vulnerability.

Trend Micro Apex One (2019), OfficeScan XG and Worry-Free Business Security (9.0, 9.5, 10.0) server contains a vulnerable service DLL file

CVE-2020-8598 9.8 - Critical - March 18, 2020

Trend Micro Apex One (2019), OfficeScan XG and Worry-Free Business Security (9.0, 9.5, 10.0) server contains a vulnerable service DLL file that could allow a remote attacker to execute arbitrary code on affected installations with SYSTEM level privileges. Authentication is not required to exploit this vulnerability.

Improper Input Validation

Trend Micro Apex One (2019), OfficeScan XG and Worry-Free Business Security (9.0, 9.5, 10.0) server contains a vulnerable service DLL file

CVE-2020-8470 7.5 - High - March 18, 2020

Trend Micro Apex One (2019), OfficeScan XG and Worry-Free Business Security (9.0, 9.5, 10.0) server contains a vulnerable service DLL file that could allow an attacker to delete any file on the server with SYSTEM level privileges. Authentication is not required to exploit this vulnerability.

Improper Input Validation

Trend Micro Apex One (2019), OfficeScan XG and Worry-Free Business Security (9.0, 9.5, 10.0) agents are affected by a content validation escape vulnerability which could

CVE-2020-8468 8.8 - High - March 18, 2020

Trend Micro Apex One (2019), OfficeScan XG and Worry-Free Business Security (9.0, 9.5, 10.0) agents are affected by a content validation escape vulnerability which could allow an attacker to manipulate certain agent client components. An attempted attack requires user authentication.

Injection

A migration tool component of Trend Micro Apex One (2019) and OfficeScan XG contains a vulnerability which could

CVE-2020-8467 8.8 - High - March 18, 2020

A migration tool component of Trend Micro Apex One (2019) and OfficeScan XG contains a vulnerability which could allow remote attackers to execute arbitrary code on affected installations (RCE). An attempted attack requires user authentication.

A directory traversal vulnerability in Trend Micro Apex One, OfficeScan (11.0, XG) and Worry-Free Business Security (9.5, 10.0) may

CVE-2019-18189 9.8 - Critical - October 28, 2019

A directory traversal vulnerability in Trend Micro Apex One, OfficeScan (11.0, XG) and Worry-Free Business Security (9.5, 10.0) may allow an attacker to bypass authentication and log on to an affected product's management console as a root user. The vulnerability does not require authentication.

Directory traversal

A vulnerability in Trend Micro Maximum Security's (Consumer) 2018 (versions 12.0.1191 and below) User-Mode Hooking (UMH) driver could allow an attacker to create a specially crafted packet

CVE-2018-3608 9.8 - Critical - July 06, 2018

A vulnerability in Trend Micro Maximum Security's (Consumer) 2018 (versions 12.0.1191 and below) User-Mode Hooking (UMH) driver could allow an attacker to create a specially crafted packet that could alter a vulnerable system in such a way that malicious code could be injected into other processes.

Code Injection

A vulnerability in Trend Micro OfficeScan 11.0 SP1 and XG could

CVE-2018-10509 8.8 - High - June 12, 2018

A vulnerability in Trend Micro OfficeScan 11.0 SP1 and XG could allow a attacker to exploit it via a Browser Refresh attack on vulnerable installations. An attacker must be using a AD logon user account in order to exploit this vulnerability.

A vulnerability in Trend Micro OfficeScan 11.0 SP1 and XG could

CVE-2018-10508 8.8 - High - June 12, 2018

A vulnerability in Trend Micro OfficeScan 11.0 SP1 and XG could allow a attacker to use a specially crafted URL to elevate account permissions on vulnerable installations. An attacker must already have at least guest privileges in order to exploit this vulnerability.

A vulnerability in Trend Micro OfficeScan 11.0 SP1 and XG could

CVE-2018-10507 4.4 - Medium - June 12, 2018

A vulnerability in Trend Micro OfficeScan 11.0 SP1 and XG could allow a attacker to take a series of steps to bypass or render the OfficeScan Unauthorized Change Prevention inoperable on vulnerable installations. An attacker must already have administrator privileges in order to exploit this vulnerability.

A out-of-bounds read information disclosure vulnerability in Trend Micro OfficeScan 11.0 SP1 and XG could

CVE-2018-10506 4.7 - Medium - June 08, 2018

A out-of-bounds read information disclosure vulnerability in Trend Micro OfficeScan 11.0 SP1 and XG could allow a local attacker to disclose sensitive information on vulnerable installations due to a flaw within the processing of IOCTL 0x220004 by the TMWFP driver. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

Out-of-bounds Read

A pool corruption privilege escalation vulnerability in Trend Micro OfficeScan 11.0 SP1 and XG could

CVE-2018-10505 6.3 - Medium - June 08, 2018

A pool corruption privilege escalation vulnerability in Trend Micro OfficeScan 11.0 SP1 and XG could allow a local attacker to escalate privileges on vulnerable installations due to a flaw within the processing of IOCTL 0x220008 in the TMWFP driver. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

Buffer Overflow

A pool corruption privilege escalation vulnerability in Trend Micro OfficeScan 11.0 SP1 and XG could

CVE-2018-10359 6.3 - Medium - June 08, 2018

A pool corruption privilege escalation vulnerability in Trend Micro OfficeScan 11.0 SP1 and XG could allow a local attacker to escalate privileges on vulnerable installations due to a flaw within the processing of IOCTL 0x220078 in the TMWFP driver. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

Buffer Overflow

A pool corruption privilege escalation vulnerability in Trend Micro OfficeScan 11.0 SP1 and XG could

CVE-2018-10358 6.3 - Medium - June 08, 2018

A pool corruption privilege escalation vulnerability in Trend Micro OfficeScan 11.0 SP1 and XG could allow a local attacker to escalate privileges on vulnerable installations due to a flaw within the processing of IOCTL 0x2200B4 in the TMWFP driver. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

Buffer Overflow

A DLL Hijacking vulnerability in Trend Micro's User-Mode Hooking Module (UMH) could

CVE-2018-6218 7 - High - February 16, 2018

A DLL Hijacking vulnerability in Trend Micro's User-Mode Hooking Module (UMH) could allow an attacker to run arbitrary code on a vulnerable system.

Untrusted Path

Directory traversal vulnerability in Trend Micro Office Scan 11.0, Worry-Free Business Security Service 5.x, and Worry-Free Business Security 9.0

CVE-2016-1223 5.3 - Medium - June 19, 2016

Directory traversal vulnerability in Trend Micro Office Scan 11.0, Worry-Free Business Security Service 5.x, and Worry-Free Business Security 9.0 allows remote attackers to read arbitrary files via unspecified vectors.

Directory traversal

The web management console in Trend Micro OfficeScan 7.0 through 8.0, Worry-Free Business Security 5.0, and Client/Server/Messaging Suite 3.5 and 3.6 creates a random session token based only on the login time, which makes it easier for remote attackers to hijack sessions

CVE-2008-2433 9.8 - Critical - August 27, 2008

The web management console in Trend Micro OfficeScan 7.0 through 8.0, Worry-Free Business Security 5.0, and Client/Server/Messaging Suite 3.5 and 3.6 creates a random session token based only on the login time, which makes it easier for remote attackers to hijack sessions via brute-force attacks. NOTE: this can be leveraged for code execution through an unspecified "manipulation of the configuration."

Use of Insufficiently Random Values

Trend Micro OfficeScan 5.5, and probably other versions before 6.5, uses insecure DACLs for critical files, which

CVE-2006-1381 - March 24, 2006

Trend Micro OfficeScan 5.5, and probably other versions before 6.5, uses insecure DACLs for critical files, which allows local users to gain SYSTEM privileges by modifying tmlisten.exe.

Buffer overflow in pop3trap.exe for PC-cillin 2000, 2002, and 2003

CVE-2002-1349 - December 18, 2002

Buffer overflow in pop3trap.exe for PC-cillin 2000, 2002, and 2003 allows local users to execute arbitrary code via a long input string to TCP port 110 (POP3).