Arbitrary Code Execution in Trend Micro Deep Discovery Inspector (DDI) 3.7-3.8 SP2 via hotfix_upload.cgi

CVE-2016-5840 · HIGH Severity

AV:N/AC:L/AU:S/C:C/I:C/A:C

hotfix_upload.cgi in Trend Micro Deep Discovery Inspector (DDI) 3.7, 3.8 SP1 (3.81), and 3.8 SP2 (3.82) allows remote administrators to execute arbitrary code via shell metacharacters in the filename parameter of the Content-Disposition header.

Learn more about our Web Application Penetration Testing UK.