====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN326
_____________________________________________________________________

DATE                : 16/06/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Trend Micro InterScan Web Security
                             Virtual Appliance version 6.5 SP2.

=====================================================================
https://success.trendmicro.com/solution/000286452
_____________________________________________________________________


SECURITY BULLETIN: Trend Micro InterScan Web Security Virtual Appliance
6.5 Reflected XSS Vulnerability

        Updated: 15 Jun 2021
        Product/Version: Interscan Web Security Virtual Appliance 6.5
        Platform:


Summary

Release Date: June 15, 2021
CVE Identifier(s): CVE-2021-31521
Platform(s): Virtual Appliance
CVSS 3.0 Score(s): 6.3 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Severity Rating(s): Medium


Trend Micro has released a new Critical Patch (CP) for InterScan Web
Security Virtual Appliance (IWSVA) 6.5 SP2.  This CP resolves a
reflected cross-site scripting (XSS) vulnerability in the product's
Captive Portal.


Details

Affected Version(s)

Product      Affected Version(s)        Platform        Language(s)
IWSVA	Version 6.5 SP2	     Virtual Appliance	        English


Solution

Trend Micro has released the following solutions to address the issue:

Product   Updated version     Notes       Platform       Availability
IWSVA	Version 6.5 SP2 CP 1943	   Readme   Virtual Appliance	Now Available


This is the minimum version(s) of the patch and/or build required to
address the issue. Trend Micro highly encourages customers to obtain the
latest version of the product if there is a newer one available than the
one listed in this bulletin.

Customers are encouraged to visit Trend Micro’s Download Center to
obtain prerequisite software (such as Service Packs) before applying any
of the solutions above.


Vulnerability Details

CVE-2021-31521:  Trend Micro InterScan Web Security Virtual Appliance
6.5 Reflected XSS Vulnerability
CVSSv3: 6.3 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Trend Micro InterScan Web Security Virtual Appliance version 6.5 was
found to have a reflected cross-site scripting (XSS) vulnerability in
the product's Captive Portal.


Mitigating Factors

Exploiting these type of vulnerabilities generally require that an
attacker has access (physical or remote) to a vulnerable machine. In
addition to timely application of patches and updated solutions,
customers are also advised to review remote access to critical systems
and ensure policies and perimeter security is up-to-date.

However, even though an exploit may require several specific conditions
to be met, Trend Micro strongly encourages customers to update to the
latest builds as soon as possible.


Acknowledgement

Trend Micro would like to thank the following individuals for
responsibly disclosing these issues and working with Trend Micro to help
protect our customers:

    Ch Muhammad Osama



=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================