CVE-2016-3987
Severity CVSS v4.0:
Pending analysis
Type:
CWE-284
Improper Access Control
Publication date:
12/04/2016
Last modified:
12/04/2025
Description
The HTTP server in Trend Micro Password Manager allows remote web servers to execute arbitrary commands via the url parameter to (1) api/openUrlInDefaultBrowser or (2) api/showSB.
Impact
Base Score 3.x
9.80
Severity 3.x
CRITICAL
Base Score 2.0
10.00
Severity 2.0
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:trendmicro:password_manager:-:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://blog.trendmicro.com/information-on-reported-vulnerabilities-in-trend-micro-password-manager/
- http://packetstormsecurity.com/files/135222/TrendMicro-Node.js-HTTP-Server-Command-Execution.html
- http://www.securitytracker.com/id/1034662
- https://code.google.com/p/google-security-research/issues/detail?id=693
- https://www.exploit-db.com/exploits/39218/
- http://blog.trendmicro.com/information-on-reported-vulnerabilities-in-trend-micro-password-manager/
- http://packetstormsecurity.com/files/135222/TrendMicro-Node.js-HTTP-Server-Command-Execution.html
- http://www.securitytracker.com/id/1034662
- https://code.google.com/p/google-security-research/issues/detail?id=693
- https://www.exploit-db.com/exploits/39218/