CVE-2012-2998
Description
SQL injection vulnerability in the ad hoc query module in Trend Micro Control Manager (TMCM) before 5.5.0.1823 and 6.0 before 6.0.0.1449 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: cret@cert.org — http://www.trendmicro.com/ftp/documentation/readme/readme_critical_patch_tmcm60_patch1_1449.txt
Vendor advisory: cret@cert.org — http://www.trendmicro.com/ftp/documentation/readme/readme_critical_patch_TMCM55_1823.txt
Vendor advisory: cret@cert.org — http://www.spentera.com/2012/09/trend-micro-control-manager-sql-injection-vulnerability/
Vendor advisory: cret@cert.org — http://jvndb.jvn.jp/jvndb/JVNDB-2012-000090
Vendor advisory: cret@cert.org — http://jvn.jp/en/jp/JVN42014489/index.html
Vendor advisory: cret@cert.org — http://esupport.trendmicro.com/solution/en-us/1061043.aspx
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| trend_micro | control_manager | {"endIncluding":"5.5"} | |
| trend_micro | control_manager | 2.0 | |
| trend_micro | control_manager | 2.1 | |
| trend_micro | control_manager | 2.5 | |
| trend_micro | control_manager | 3.0 | |
| trend_micro | control_manager | 3.5 | |
| trend_micro | control_manager | 5.0 | |
| trend_micro | control_manager | 5.5 | |
| trend_micro | control_manager | 6.0 | |
References
- http://esupport.trendmicro.com/solution/en-us/1061043.aspx
- http://jvn.jp/en/jp/JVN42014489/index.html
- http://jvndb.jvn.jp/jvndb/JVNDB-2012-000090
- http://www.kb.cert.org/vuls/id/950795
- http://www.securitytracker.com/id?1027584
- http://www.spentera.com/2012/09/trend-micro-control-manager-sql-injection-vulnerability/
- http://www.trendmicro.com/ftp/documentation/readme/readme_critical_patch_TMCM55_1823.txt
- http://www.trendmicro.com/ftp/documentation/readme/readme_critical_patch_tmcm60_patch1_1449.txt
- http://esupport.trendmicro.com/solution/en-us/1061043.aspx
- http://jvn.jp/en/jp/JVN42014489/index.html
- http://jvndb.jvn.jp/jvndb/JVNDB-2012-000090
- http://www.kb.cert.org/vuls/id/950795
- http://www.securitytracker.com/id?1027584
- http://www.spentera.com/2012/09/trend-micro-control-manager-sql-injection-vulnerability/
- http://www.trendmicro.com/ftp/documentation/readme/readme_critical_patch_TMCM55_1823.txt
- http://www.trendmicro.com/ftp/documentation/readme/readme_critical_patch_tmcm60_patch1_1449.txt
CWEs
CWE-89
Verify integrity in audit chain (admin only). AS-IS.