CVE-2016-5840

high

Description

hotfix_upload.cgi in Trend Micro Deep Discovery Inspector (DDI) 3.7, 3.8 SP1 (3.81), and 3.8 SP2 (3.82) allows remote administrators to execute arbitrary code via shell metacharacters in the filename parameter of the Content-Disposition header.

References

http://www.zerodayinitiative.com/advisories/ZDI-16-373

http://jvndb.jvn.jp/en/contents/2016/JVNDB-2016-000103.html

http://jvn.jp/en/jp/JVN55428526/index.html

http://esupport.trendmicro.com/solution/en-US/1114281.aspx

Details

Source: Mitre, NVD

Published: 2016-06-30

Updated: 2026-06-17

Risk Information

CVSS v2

Base Score: 9

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

Severity: High

CVSS v3

Base Score: 7.2

Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Severity: High

EPSS

EPSS: 0.14105