Details of VAR-201704-1398

ID

VAR-201704-1398

CVE

CVE-2017-7896

TITLE

Trend Micro InterScan Messaging Security Virtual Appliance Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2017-003214

DESCRIPTION

Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) 9.1 before CP 1644 has XSS. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks

Trust: 1.89

sources: NVD: CVE-2017-7896 // JVNDB: JVNDB-2017-003214 // BID: 97938

AFFECTED PRODUCTS

vendor:	trendmicro	model:	interscan messaging security virtual appliance	scope:	lte	version:	9.1	Trust: 1.0
vendor:	trend micro	model:	interscan messaging security virtual appliance	scope:	lt	version:	9.1	Trust: 0.8
vendor:	trend micro	model:	interscan messaging security virtual appliance	scope:	eq	version:	9.1 cp 1644	Trust: 0.8
vendor:	trendmicro	model:	interscan messaging security virtual appliance	scope:	eq	version:	9.1	Trust: 0.6
vendor:	trend micro	model:	interscan messaging security virtual appliance	scope:	eq	version:	9.1	Trust: 0.3
vendor:	trend micro	model:	interscan messaging security virtual appliance cp	scope:	ne	version:	9.11644	Trust: 0.3

sources: BID: 97938 // JVNDB: JVNDB-2017-003214 // CNNVD: CNNVD-201704-875 // NVD: CVE-2017-7896

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD:	CVE-2017-7896
value:	MEDIUM
Trust: 1.8
CNNVD:	CNNVD-201704-875
value:	MEDIUM
Trust: 0.6

NVD:	CVE-2017-7896
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8

NVD:	CVE-2017-7896
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 1.8

sources: JVNDB: JVNDB-2017-003214 // CNNVD: CNNVD-201704-875 // NVD: CVE-2017-7896

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.8

sources: JVNDB: JVNDB-2017-003214 // NVD: CVE-2017-7896

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201704-875

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201704-875

CONFIGURATIONS

sources: NVD: CVE-2017-7896

PATCH

title:	Solution Id:1116821	url:	https://success.trendmicro.com/solution/1116821-security-bulletin-trend-micro-interscan-messaging-security-virtual-appliance-imsva-9-1-multiple-v	Trust: 0.8
title:	Trend Micro InterScan Messaging Security Virtual Appliance Fixes for cross-site scripting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=69368	Trust: 0.6

sources: JVNDB: JVNDB-2017-003214 // CNNVD: CNNVD-201704-875

EXTERNAL IDS

db:	NVD	id:	CVE-2017-7896	Trust: 2.7
db:	BID	id:	97938	Trust: 1.3
db:	JVNDB	id:	JVNDB-2017-003214	Trust: 0.8
db:	CNNVD	id:	CNNVD-201704-875	Trust: 0.6

sources: BID: 97938 // JVNDB: JVNDB-2017-003214 // CNNVD: CNNVD-201704-875 // NVD: CVE-2017-7896

REFERENCES

url:	https://success.trendmicro.com/solution/1116821-security-bulletin-trend-micro-interscan-messaging-security-virtual-appliance-imsva-9-1-multiple-v	Trust: 1.9
url:	http://www.securityfocus.com/bid/97938	Trust: 1.0
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-7896	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-7896	Trust: 0.8
url:	http://www.trendmicro.com/us/enterprise/network-security/interscan-message-security/	Trust: 0.3

sources: BID: 97938 // JVNDB: JVNDB-2017-003214 // CNNVD: CNNVD-201704-875 // NVD: CVE-2017-7896

CREDITS

Mehmet Dursun Ince of Prodaft / INVICTUS Europe and Bart Leppens

Trust: 0.3

sources: BID: 97938

SOURCES

db:	BID	id:	97938
db:	JVNDB	id:	JVNDB-2017-003214
db:	CNNVD	id:	CNNVD-201704-875
db:	NVD	id:	CVE-2017-7896

LAST UPDATE DATE

2022-05-04T10:12:12.831000+00:00

SOURCES UPDATE DATE

db:	BID	id:	97938	date:	2017-05-02T01:07:00
db:	JVNDB	id:	JVNDB-2017-003214	date:	2017-05-19T00:00:00
db:	CNNVD	id:	CNNVD-201704-875	date:	2017-04-19T00:00:00
db:	NVD	id:	CVE-2017-7896	date:	2017-04-25T00:43:00

SOURCES RELEASE DATE

db:	BID	id:	97938	date:	2017-03-07T00:00:00
db:	JVNDB	id:	JVNDB-2017-003214	date:	2017-05-19T00:00:00
db:	CNNVD	id:	CNNVD-201704-875	date:	2017-04-19T00:00:00
db:	NVD	id:	CVE-2017-7896	date:	2017-04-18T15:59:00