CVE-2016-5840

hotfix_upload.cgi in Trend Micro Deep Discovery Inspector (DDI) 3.7, 3.8 SP1 (3.81), and 3.8 SP2 (3.82) allows remote administrators to execute arbitrary code via shell metacharacters in the filename parameter of the Content-Disposition header.

Published: Jun 30, 2016
Updated: Apr 13, 2023
CVE: CVE-2016-5840
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.2
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: High
Score: 9
AV:N/AC:L/Au:S/C:C/I:C/A:C

CWEs:

CWE-20

Affected Software
References

Software	From	Fixed in
trend_micro / deep_discovery_inspector	3.81	3.81.x
trend_micro / deep_discovery_inspector	3.7	3.7.x
trend_micro / deep_discovery_inspector	3.82	3.82.x

http://esupport.trendmicro.com/solution/en-US/1114281.aspx
http://jvn.jp/en/jp/JVN55428526/index.html
http://jvndb.jvn.jp/en/contents/2016/JVNDB-2016-000103.html
http://www.zerodayinitiative.com/advisories/ZDI-16-373
https://www.exploit-db.com/exploits/40180/

Vulnerability Database

289,871

CVE-2016-5840