Trend Micro Control Manager 5.5 Cross-Site Scripting (XSS) Vulnerability

Description
Trend Micro Control Manager provides a convenient centralized security management console that is designed to minimize administrative complexity and work with Trend Micro solutions to maximize security.

Sow Ching Shiong, an independent vulnerability researcher has discovered Cross-Site Scripting vulnerability in Trend Micro Control Manager. This issue was discovered in a default installation of Trend Micro Control Manager 5.5 Build 1250 (Hot Fix: 1350). Other earlier versions may also be affected.

Proof of concept
https://[target]/commoncgi/servlet/CCGIServlet?ApHost=SLF_PRODUCT_TVCS"><script>alert(/XSS/)</script>&CGIAlias=SLF_PRODUCT_TVCS&Page=

Solution
Trend Micro has released patches which address this issue. Please see the references for more information.

References
Vendor URL: http://downloadcenter.trendmicro.com/index.php?prodid=7#fragment-1845
Secunia: http://secunia.com/advisories/44134/

Disclosure Timeline
2011-04-09 - Vulnerability discovered.
2011-04-09 - Vulnerability reported to Secunia.
2011-04-28 - Secunia confirmed the vulnerability and contacted the vendor.
2011-06-15 - Patch released.
2011-06-16 - Advisory published by Secunia.