Vulnerability Details CVE-2016-5840
hotfix_upload.cgi in Trend Micro Deep Discovery Inspector (DDI) 3.7, 3.8 SP1 (3.81), and 3.8 SP2 (3.82) allows remote administrators to execute arbitrary code via shell metacharacters in the filename parameter of the Content-Disposition header.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.141
EPSS Ranking 93.9%
CVSS Severity
CVSS v3 Score 7.2
CVSS v2 Score 9.0
References
- http://esupport.trendmicro.com/solution/en-US/1114281.aspx
- http://jvn.jp/en/jp/JVN55428526/index.html
- http://jvndb.jvn.jp/en/contents/2016/JVNDB-2016-000103.html
- http://www.zerodayinitiative.com/advisories/ZDI-16-373
- https://www.exploit-db.com/exploits/40180/
- http://esupport.trendmicro.com/solution/en-US/1114281.aspx
- http://jvn.jp/en/jp/JVN55428526/index.html
- http://jvndb.jvn.jp/en/contents/2016/JVNDB-2016-000103.html
- http://www.zerodayinitiative.com/advisories/ZDI-16-373
- https://www.exploit-db.com/exploits/40180/
Products affected by CVE-2016-5840
-
cpe:2.3:a:trend_micro:deep_discovery_inspector:3.7
-
cpe:2.3:a:trend_micro:deep_discovery_inspector:3.81
-
cpe:2.3:a:trend_micro:deep_discovery_inspector:3.82