Multiple Vulnerabilities – Trend Micro Control Manager 6.0

The following are publicly disclosed vulnerabilities I discovered with TrendMicro Control Manager 6.0

Full details of the vulnerabilities have not been agreed upon for disclosure, so this is more for record keeping than anything else.  Please do not inquire for details as there is no agreement in place for me to divulge any.  As much as I would love to discuss and help, I prefer staying out of jail much more 🙂

  • ZDI-CAN-3634 – Closed without public disclosure (unknown reasoning as it was/is a valid finding)

SQL Injection with RCE:

XXE:

XPATH Injection: