Trend Micro Control Manager AdHocQuery_Processor.aspx id Parameter SQL Injection

Medium Nessus Plugin ID 62628


The remote Windows host has a web application that is affected by a SQL injection vulnerability.


Trend Micro Control Manager, a centralized threat and data protection management application, is installed on the remote Windows host and is potentially affected by a SQL injection vulnerability because the application fails to properly sanitize user-supplied input to the 'id' parameter of the AdHocQuery_Processor.aspx script.

By exploiting this flaw, a remote, authenticated attacker, could launch a SQL injection attack against the affected application, leading to the discovery of sensitive information, attacks against the underlying database, and the like.


Critical Patch - Build 1823 is available for Trend Micro Control Manager 5.5. Critical Patch - Build 1449 is available for Trend Micro Control Manager 6.0. If you are using an older version, upgrade to either 5.5 or 6.0 and apply the relevant patch.

See Also

Plugin Details

Severity: Medium

ID: 62628

File Name: trendmicro_control_manager_id_sqli.nasl

Version: $Revision: 1.4 $

Type: local

Agent: windows

Family: Windows

Published: 2012/10/18

Modified: 2017/06/12

Dependencies: 13855

Risk Information

Risk Factor: Medium


Base Score: 6.5

Temporal Score: 5.4

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P

Temporal Vector: CVSS2#E:F/RL:OF/RC:C

Vulnerability Information

CPE: cpe:/a:trend_micro:control_manager

Required KB Items: SMB/Registry/Enumerated

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2012/09/24

Vulnerability Publication Date: 2012/09/24

Reference Information

CVE: CVE-2012-2998

BID: 55706

OSVDB: 85807

CERT: 950795

EDB-ID: 21546