First published: Mon Jun 26 2023(Updated: )
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Trend Micro Mobile Security for Enterprises. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the getWidgetPoolManager function defined within the web/widgetforsecurity path. The issue results from the lack of proper validation of user-supplied data prior to passing it to a PHP include function. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of IUSR.
Credit: security@trendmicro.com
Affected Software | Affected Version | How to fix |
---|---|---|
Trend Micro Mobile Security for Enterprises | ||
Trendmicro Mobile Security | =9.8-sp5 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for this vulnerability is CVE-2023-32528.
The severity of CVE-2023-32528 is high.
The affected software for CVE-2023-32528 is Trend Micro Mobile Security for Enterprises version 9.8-sp5.
Remote attackers can exploit CVE-2023-32528 by executing arbitrary code on affected installations of Trend Micro Mobile Security for Enterprises.
Yes, authentication is required to exploit CVE-2023-32528, but the existing authentication mechanism can be bypassed.