CVE-2020-8468 - OpenCVE

Trend Micro Apex One (2019), OfficeScan XG and Worry-Free Business Security (9.0, 9.5, 10.0) agents are affected by a content validation escape vulnerability which could allow an attacker to manipulate certain agent client components. An attempted attack requires user authentication.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:S/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Trendmicro	Apex One Worry-free Business Security Officescan

Configuration 1 [-]

OR	cpe:2.3:a:trendmicro:apex_one:2019:::::::*
	cpe:2.3:a:trendmicro:officescan:xg:::::::*
	cpe:2.3:a:trendmicro:officescan:xg:sp1::::::
	cpe:2.3:a:trendmicro:worry-free_business_security:9.0:sp3::::::
	cpe:2.3:a:trendmicro:worry-free_business_security:9.5:::::::*
	cpe:2.3:a:trendmicro:worry-free_business_security:10.0:-::::::
	cpe:2.3:a:trendmicro:worry-free_business_security:10.0:sp1::::::

References

Link	Resource
https://success.trendmicro.com/jp/solution/000244253	Patch Vendor Advisory
https://success.trendmicro.com/jp/solution/000244836	Patch Vendor Advisory
https://success.trendmicro.com/solution/000245571	Patch Vendor Advisory
https://success.trendmicro.com/solution/000245572	Patch Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: trendmicro

Published: 2020-03-18T00:30:43

Updated: 2020-03-18T00:30:43

Reserved: 2020-01-30T00:00:00

Link: CVE-2020-8468

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-03-18T01:15:12.003

Modified: 2022-07-12T17:42:04.277

Link: CVE-2020-8468

JSON object: View

Redhat Information

No data.

CWE

CWE-74

{"containers": {"cna": {"affected": [{"product": "Trend Micro OfficeScan, Trend Micro Apex One, Trend Micro Worry-Free Business Security (WFBS)", "vendor": "Trend Micro", "versions": [{"status": "affected", "version": "OfficeScan XG (12.0), Apex One 2019 (14.0), WFBS 9.0, 9.5 and 10.0"}]}], "descriptions": [{"lang": "en", "value": "Trend Micro Apex One (2019), OfficeScan XG and Worry-Free Business Security (9.0, 9.5, 10.0) agents are affected by a content validation escape vulnerability which could allow an attacker to manipulate certain agent client components. An attempted attack requires user authentication."}], "problemTypes": [{"descriptions": [{"description": "Content Validation Escape", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-03-18T00:30:43", "orgId": "7f7bd7df-cffe-4fdb-ab6d-859363b89272", "shortName": "trendmicro"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://success.trendmicro.com/solution/000245571"}, {"tags": ["x_refsource_MISC"], "url": "https://success.trendmicro.com/jp/solution/000244253"}, {"tags": ["x_refsource_MISC"], "url": "https://success.trendmicro.com/solution/000245572"}, {"tags": ["x_refsource_MISC"], "url": "https://success.trendmicro.com/jp/solution/000244836"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@trendmicro.com", "ID": "CVE-2020-8468", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Trend Micro OfficeScan, Trend Micro Apex One, Trend Micro Worry-Free Business Security (WFBS)", "version": {"version_data": [{"version_value": "OfficeScan XG (12.0), Apex One 2019 (14.0), WFBS 9.0, 9.5 and 10.0"}]}}]}, "vendor_name": "Trend Micro"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Trend Micro Apex One (2019), OfficeScan XG and Worry-Free Business Security (9.0, 9.5, 10.0) agents are affected by a content validation escape vulnerability which could allow an attacker to manipulate certain agent client components. An attempted attack requires user authentication."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Content Validation Escape"}]}]}, "references": {"reference_data": [{"name": "https://success.trendmicro.com/solution/000245571", "refsource": "MISC", "url": "https://success.trendmicro.com/solution/000245571"}, {"name": "https://success.trendmicro.com/jp/solution/000244253", "refsource": "MISC", "url": "https://success.trendmicro.com/jp/solution/000244253"}, {"name": "https://success.trendmicro.com/solution/000245572", "refsource": "MISC", "url": "https://success.trendmicro.com/solution/000245572"}, {"name": "https://success.trendmicro.com/jp/solution/000244836", "refsource": "MISC", "url": "https://success.trendmicro.com/jp/solution/000244836"}]}}}}, "cveMetadata": {"assignerOrgId": "7f7bd7df-cffe-4fdb-ab6d-859363b89272", "assignerShortName": "trendmicro", "cveId": "CVE-2020-8468", "datePublished": "2020-03-18T00:30:43", "dateReserved": "2020-01-30T00:00:00", "dateUpdated": "2020-03-18T00:30:43", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"cisaActionDue": "2022-05-03", "cisaExploitAdd": "2021-11-03", "cisaRequiredAction": "Apply updates per vendor instructions.", "cisaVulnerabilityName": "Trend Micro Multiple Products Content Validation Escape Vulnerability", "configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:trendmicro:apex_one:2019:*:*:*:*:*:*:*", "matchCriteriaId": "AF019D2D-C426-4D2D-A254-442CE777B41E", "vulnerable": true}, {"criteria": "cpe:2.3:a:trendmicro:officescan:xg:*:*:*:*:*:*:*", "matchCriteriaId": "602A0266-B586-447A-A500-1145B77053E8", "vulnerable": true}, {"criteria": "cpe:2.3:a:trendmicro:officescan:xg:sp1:*:*:*:*:*:*", "matchCriteriaId": "64600B42-4884-41F2-A683-AE1EDB79372E", "vulnerable": true}, {"criteria": "cpe:2.3:a:trendmicro:worry-free_business_security:9.0:sp3:*:*:*:*:*:*", "matchCriteriaId": "83FF66BA-6904-4D7F-944F-64896AD6CF3D", "vulnerable": true}, {"criteria": "cpe:2.3:a:trendmicro:worry-free_business_security:9.5:*:*:*:*:*:*:*", "matchCriteriaId": "6E482D0E-3CC6-4D32-AC2E-6A506066ECAB", "vulnerable": true}, {"criteria": "cpe:2.3:a:trendmicro:worry-free_business_security:10.0:-:*:*:*:*:*:*", "matchCriteriaId": "2A0EDD09-FA88-46A8-A62F-551EB253F722", "vulnerable": true}, {"criteria": "cpe:2.3:a:trendmicro:worry-free_business_security:10.0:sp1:*:*:*:*:*:*", "matchCriteriaId": "FFCE8717-85D2-4F4F-91DF-C6DA341C4E19", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Trend Micro Apex One (2019), OfficeScan XG and Worry-Free Business Security (9.0, 9.5, 10.0) agents are affected by a content validation escape vulnerability which could allow an attacker to manipulate certain agent client components. An attempted attack requires user authentication."}, {"lang": "es", "value": "Los agentes de Trend Micro Apex One (2019), OfficeScan XG y Worry-Free Business Security versiones (9.0, 9.5, 10.0), est\u00e1n afectados por una vulnerabilidad de escape de comprobaci\u00f3n de contenido que podr\u00eda permitir a un atacante manipular determinados componentes del cliente del agente. Un intento de ataque requiere autenticaci\u00f3n de usuario."}], "id": "CVE-2020-8468", "lastModified": "2022-07-12T17:42:04.277", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-03-18T01:15:12.003", "references": [{"source": "security@trendmicro.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://success.trendmicro.com/jp/solution/000244253"}, {"source": "security@trendmicro.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://success.trendmicro.com/jp/solution/000244836"}, {"source": "security@trendmicro.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://success.trendmicro.com/solution/000245571"}, {"source": "security@trendmicro.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://success.trendmicro.com/solution/000245572"}], "sourceIdentifier": "security@trendmicro.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}], "source": "nvd@nist.gov", "type": "Primary"}]}