Sign-up

ID

VAR-201805-0274


CVE

CVE-2018-10353


TITLE

Trend Micro Email Encryption Gateway In SQL Injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2018-005205

DESCRIPTION

A SQL injection information disclosure vulnerability in Trend Micro Email Encryption Gateway 5.5 could allow a remote attacker to disclose sensitive information on vulnerable installations due to a flaw in the formChangePass class. Authentication is required to exploit this vulnerability. When parsing the username parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this in conjunction with other vulnerabilities to disclose sensitive information under the context of the database. Multiple SQL-injection vulnerabilities 2. A command-injection vulnerability 3. An insecure authentication weakness Exploiting these issues could allow an attacker to access or modify data, or exploit latent vulnerabilities in the underlying database, execute arbitrary command, bypass authentication mechanism, execute arbitrary code and obtain sensitive information. This may aid in further attacks

Trust: 2.61

sources: NVD: CVE-2018-10353 // JVNDB: JVNDB-2018-005205 // ZDI: ZDI-18-419 // BID: 104314 // VULHUB: VHN-120104

AFFECTED PRODUCTS

vendor:trendmicromodel:email encryption gatewayscope:lteversion:5.5

Trust: 1.0

vendor:trend micromodel:email encryption gatewayscope:eqversion:5.5

Trust: 0.8

vendor:trend micromodel:encryption for email gatewayscope: - version: -

Trust: 0.7

vendor:trendmicromodel:email encryption gatewayscope:eqversion:5.5

Trust: 0.6

vendor:trend micromodel:email encryption gateway buildscope:eqversion:5.51111

Trust: 0.3

vendor:trend micromodel:email encryption gateway buildscope:eqversion:5.51107

Trust: 0.3

vendor:trend micromodel:email encryption gateway buildscope:eqversion:5.51073

Trust: 0.3

sources: ZDI: ZDI-18-419 // BID: 104314 // JVNDB: JVNDB-2018-005205 // CNNVD: CNNVD-201805-777 // NVD: CVE-2018-10353

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-10353
value: MEDIUM

Trust: 1.0

NVD: CVE-2018-10353
value: MEDIUM

Trust: 0.8

ZDI: CVE-2018-10353
value: LOW

Trust: 0.7

CNNVD: CNNVD-201805-777
value: MEDIUM

Trust: 0.6

VULHUB: VHN-120104
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2018-10353
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

ZDI: CVE-2018-10353
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.7

VULHUB: VHN-120104
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2018-10353
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 3.6
version: 3.0

Trust: 1.8

sources: ZDI: ZDI-18-419 // VULHUB: VHN-120104 // JVNDB: JVNDB-2018-005205 // CNNVD: CNNVD-201805-777 // NVD: CVE-2018-10353

PROBLEMTYPE DATA

problemtype:CWE-89

Trust: 1.9

sources: VULHUB: VHN-120104 // JVNDB: JVNDB-2018-005205 // NVD: CVE-2018-10353

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201805-777

TYPE

SQL injection

Trust: 0.6

sources: CNNVD: CNNVD-201805-777

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-005205

PATCH
title:1119349url:https://success.trendmicro.com/solution/1119349
Trust: 1.5
title:Trend Micro Email Encryption Gateway SQL Repair measures for injecting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=83662
Trust: 0.6
sources:
            
            
            ZDI: ZDI-18-419 // 
            
            
            
            JVNDB: JVNDB-2018-005205 // 
            
            
            
            CNNVD: CNNVD-201805-777

EXTERNAL IDS
db:NVDid:CVE-2018-10353
Trust: 3.5
db:ZDIid:ZDI-18-419
Trust: 2.7
db:JVNDBid:JVNDB-2018-005205
Trust: 0.8
db:ZDI_CANid:ZDI-CAN-5594
Trust: 0.7
db:NSFOCUSid:39855
Trust: 0.6
db:CNNVDid:CNNVD-201805-777
Trust: 0.6
db:ZDIid:ZDI-18-418
Trust: 0.3
db:ZDIid:ZDI-18-411
Trust: 0.3
db:ZDIid:ZDI-18-415
Trust: 0.3
db:ZDIid:ZDI-18-416
Trust: 0.3
db:BIDid:104314
Trust: 0.3
db:VULHUBid:VHN-120104
Trust: 0.1
sources:
            
            
            ZDI: ZDI-18-419 // 
            
            
            
            VULHUB: VHN-120104 // 
            
            
            
            BID: 104314 // 
            
            
            
            JVNDB: JVNDB-2018-005205 // 
            
            
            
            CNNVD: CNNVD-201805-777 // 
            
            
            
            NVD: CVE-2018-10353

REFERENCES
url:https://success.trendmicro.com/solution/1119349
Trust: 2.4
url:https://www.zerodayinitiative.com/advisories/zdi-18-419/
Trust: 2.0
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-10353
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-10353
Trust: 0.8
url:http://www.nsfocus.net/vulndb/39855
Trust: 0.6
url:http://www.trend.com
Trust: 0.3
url:trend micro encryption for email gateway dbcrypto authentication weakness vulnerability
Trust: 0.3
url:https://www.zerodayinitiative.com/advisories/zdi-18-411/
Trust: 0.3
url:https://www.zerodayinitiative.com/advisories/zdi-18-418/
Trust: 0.3
url:https://www.zerodayinitiative.com/advisories/zdi-18-416/
Trust: 0.3
url:https://www.zerodayinitiative.com/advisories/zdi-18-415/
Trust: 0.3
sources:
            
            
            ZDI: ZDI-18-419 // 
            
            
            
            VULHUB: VHN-120104 // 
            
            
            
            BID: 104314 // 
            
            
            
            JVNDB: JVNDB-2018-005205 // 
            
            
            
            CNNVD: CNNVD-201805-777 // 
            
            
            
            NVD: CVE-2018-10353

CREDITS
Steven Seeley of Source Incite
Trust: 0.7
sources:
            
            
            ZDI: ZDI-18-419

SOURCES
db:ZDIid:ZDI-18-419
db:VULHUBid:VHN-120104
db:BIDid:104314
db:JVNDBid:JVNDB-2018-005205
db:CNNVDid:CNNVD-201805-777
db:NVDid:CVE-2018-10353

LAST UPDATE DATE
2024-11-23T22:17:30.734000+00:00

SOURCES UPDATE DATE
db:ZDIid:ZDI-18-419date:2018-05-04T00:00:00
db:VULHUBid:VHN-120104date:2018-06-22T00:00:00
db:BIDid:104314date:2018-05-04T00:00:00
db:JVNDBid:JVNDB-2018-005205date:2018-07-10T00:00:00
db:CNNVDid:CNNVD-201805-777date:2018-05-24T00:00:00
db:NVDid:CVE-2018-10353date:2024-11-21T03:41:14.837

SOURCES RELEASE DATE
db:ZDIid:ZDI-18-419date:2018-05-04T00:00:00
db:VULHUBid:VHN-120104date:2018-05-23T00:00:00
db:BIDid:104314date:2018-05-04T00:00:00
db:JVNDBid:JVNDB-2018-005205date:2018-07-10T00:00:00
db:CNNVDid:CNNVD-201805-777date:2018-05-24T00:00:00
db:NVDid:CVE-2018-10353date:2018-05-23T16:29:00.333