Search criteria
12 vulnerabilities found for ePolicy Orchestrator (ePO) by McAfee
CVE-2018-6672 (GCVE-0-2018-6672)
Vulnerability from cvelistv5 – Published: 2018-06-15 14:00 – Updated: 2024-08-05 06:10
VLAI?
Summary
Information disclosure vulnerability in McAfee ePolicy Orchestrator (ePO) 5.3.0 through 5.3.3 and 5.9.0 through 5.9.1 allows authenticated users to view sensitive information in plain text format via unspecified vectors.
Severity ?
5.7 (Medium)
CWE
- Information disclosure vulnerability
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| McAfee | ePolicy Orchestrator (ePO) |
Affected:
5.3.0 through 5.3.3 , < 5.3.3 with hotfix EPO5xHF1229850
(custom)
Affected: 5.9.0 through 5.9.1 , < 5.9.1 with hotfix EPO5xHF1229850 (custom) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T06:10:11.360Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "104485",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/104485"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10240"
},
{
"name": "1041155",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1041155"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ePolicy Orchestrator (ePO)",
"vendor": "McAfee",
"versions": [
{
"lessThan": "5.3.3 with hotfix EPO5xHF1229850",
"status": "affected",
"version": "5.3.0 through 5.3.3",
"versionType": "custom"
},
{
"lessThan": "5.9.1 with hotfix EPO5xHF1229850",
"status": "affected",
"version": "5.9.0 through 5.9.1",
"versionType": "custom"
}
]
}
],
"datePublic": "2018-06-14T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Information disclosure vulnerability in McAfee ePolicy Orchestrator (ePO) 5.3.0 through 5.3.3 and 5.9.0 through 5.9.1 allows authenticated users to view sensitive information in plain text format via unspecified vectors."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information disclosure vulnerability",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-06-24T09:57:01",
"orgId": "01626437-bf8f-4d1c-912a-893b5eb04808",
"shortName": "trellix"
},
"references": [
{
"name": "104485",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/104485"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10240"
},
{
"name": "1041155",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1041155"
}
],
"source": {
"advisory": "SB10240",
"discovery": "INTERNAL"
},
"title": "SB10240 - ePolicy Orchestrator (ePO) - Information disclosure vulnerablity",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@mcafee.com",
"ID": "CVE-2018-6672",
"STATE": "PUBLIC",
"TITLE": "SB10240 - ePolicy Orchestrator (ePO) - Information disclosure vulnerablity"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "ePolicy Orchestrator (ePO)",
"version": {
"version_data": [
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "5.3.0 through 5.3.3",
"version_value": "5.3.3 with hotfix EPO5xHF1229850"
},
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "5.9.0 through 5.9.1",
"version_value": "5.9.1 with hotfix EPO5xHF1229850"
}
]
}
}
]
},
"vendor_name": "McAfee"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Information disclosure vulnerability in McAfee ePolicy Orchestrator (ePO) 5.3.0 through 5.3.3 and 5.9.0 through 5.9.1 allows authenticated users to view sensitive information in plain text format via unspecified vectors."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information disclosure vulnerability"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "104485",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/104485"
},
{
"name": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10240",
"refsource": "CONFIRM",
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10240"
},
{
"name": "1041155",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1041155"
}
]
},
"source": {
"advisory": "SB10240",
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "01626437-bf8f-4d1c-912a-893b5eb04808",
"assignerShortName": "trellix",
"cveId": "CVE-2018-6672",
"datePublished": "2018-06-15T14:00:00",
"dateReserved": "2018-02-06T00:00:00",
"dateUpdated": "2024-08-05T06:10:11.360Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-6671 (GCVE-0-2018-6671)
Vulnerability from cvelistv5 – Published: 2018-06-15 14:00 – Updated: 2024-08-05 06:10
VLAI?
Summary
Application Protection Bypass vulnerability in McAfee ePolicy Orchestrator (ePO) 5.3.0 through 5.3.3 and 5.9.0 through 5.9.1 allows remote authenticated users to bypass localhost only access security protection for some ePO features via a specially crafted HTTP request.
Severity ?
4.7 (Medium)
CWE
- Application Protection Bypass vulnerability
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| McAfee | ePolicy Orchestrator (ePO) |
Affected:
5.3.0 through 5.3.3 , < 5.3.3 with hotfix EPO5xHF1229850
(custom)
Affected: 5.9.0 through 5.9.1 , < 5.9.1 with hotfix EPO5xHF1229850 (custom) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T06:10:11.361Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "104485",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/104485"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10240"
},
{
"name": "46518",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/46518/"
},
{
"name": "1041155",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1041155"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ePolicy Orchestrator (ePO)",
"vendor": "McAfee",
"versions": [
{
"lessThan": "5.3.3 with hotfix EPO5xHF1229850",
"status": "affected",
"version": "5.3.0 through 5.3.3",
"versionType": "custom"
},
{
"lessThan": "5.9.1 with hotfix EPO5xHF1229850",
"status": "affected",
"version": "5.9.0 through 5.9.1",
"versionType": "custom"
}
]
}
],
"datePublic": "2018-06-14T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Application Protection Bypass vulnerability in McAfee ePolicy Orchestrator (ePO) 5.3.0 through 5.3.3 and 5.9.0 through 5.9.1 allows remote authenticated users to bypass localhost only access security protection for some ePO features via a specially crafted HTTP request."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Application Protection Bypass vulnerability\n",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-03-09T10:57:01",
"orgId": "01626437-bf8f-4d1c-912a-893b5eb04808",
"shortName": "trellix"
},
"references": [
{
"name": "104485",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/104485"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10240"
},
{
"name": "46518",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/46518/"
},
{
"name": "1041155",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1041155"
}
],
"source": {
"advisory": "SB10240",
"discovery": "INTERNAL"
},
"title": "SB10240 - ePolicy Orchestrator (ePO) - Application Protection Bypass vulnerability",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@mcafee.com",
"ID": "CVE-2018-6671",
"STATE": "PUBLIC",
"TITLE": "SB10240 - ePolicy Orchestrator (ePO) - Application Protection Bypass vulnerability"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "ePolicy Orchestrator (ePO)",
"version": {
"version_data": [
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "5.3.0 through 5.3.3",
"version_value": "5.3.3 with hotfix EPO5xHF1229850"
},
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "5.9.0 through 5.9.1",
"version_value": "5.9.1 with hotfix EPO5xHF1229850"
}
]
}
}
]
},
"vendor_name": "McAfee"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Application Protection Bypass vulnerability in McAfee ePolicy Orchestrator (ePO) 5.3.0 through 5.3.3 and 5.9.0 through 5.9.1 allows remote authenticated users to bypass localhost only access security protection for some ePO features via a specially crafted HTTP request."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Application Protection Bypass vulnerability\n"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "104485",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/104485"
},
{
"name": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10240",
"refsource": "CONFIRM",
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10240"
},
{
"name": "46518",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/46518/"
},
{
"name": "1041155",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1041155"
}
]
},
"source": {
"advisory": "SB10240",
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "01626437-bf8f-4d1c-912a-893b5eb04808",
"assignerShortName": "trellix",
"cveId": "CVE-2018-6671",
"datePublished": "2018-06-15T14:00:00",
"dateReserved": "2018-02-06T00:00:00",
"dateUpdated": "2024-08-05T06:10:11.361Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-3936 (GCVE-0-2017-3936)
Vulnerability from cvelistv5 – Published: 2018-06-13 21:00 – Updated: 2024-08-05 14:39
VLAI?
Summary
OS Command Injection vulnerability in McAfee ePolicy Orchestrator (ePO) 5.9.0, 5.3.2, 5.3.1, 5.1.3, 5.1.2, 5.1.1, and 5.1.0 allows attackers to run arbitrary OS commands with limited privileges via not sanitizing the user input data before exporting it into a CSV format output.
Severity ?
6.2 (Medium)
CWE
- OS Command Injection vulnerability
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| McAfee | ePolicy Orchestrator (ePO) |
Affected:
5.1 , < 5.3.3
(custom)
Affected: 5.3 , < 5.3.3 (custom) Affected: 5.9 , < 5.9.1 (custom) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T14:39:41.148Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "103155",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/103155"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10227"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"platforms": [
"x86"
],
"product": "ePolicy Orchestrator (ePO)",
"vendor": "McAfee",
"versions": [
{
"lessThan": "5.3.3",
"status": "affected",
"version": "5.1",
"versionType": "custom"
},
{
"lessThan": "5.3.3",
"status": "affected",
"version": "5.3",
"versionType": "custom"
},
{
"lessThan": "5.9.1",
"status": "affected",
"version": "5.9",
"versionType": "custom"
}
]
}
],
"datePublic": "2018-02-23T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "OS Command Injection vulnerability in McAfee ePolicy Orchestrator (ePO) 5.9.0, 5.3.2, 5.3.1, 5.1.3, 5.1.2, 5.1.1, and 5.1.0 allows attackers to run arbitrary OS commands with limited privileges via not sanitizing the user input data before exporting it into a CSV format output."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "OS Command Injection vulnerability",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-06-14T09:57:01",
"orgId": "01626437-bf8f-4d1c-912a-893b5eb04808",
"shortName": "trellix"
},
"references": [
{
"name": "103155",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/103155"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10227"
}
],
"source": {
"advisory": "SB10227",
"discovery": "INTERNAL"
},
"title": "McAfee ePolicy Orchestrator (ePO) - OS Command Injection vulnerability",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@mcafee.com",
"ID": "CVE-2017-3936",
"STATE": "PUBLIC",
"TITLE": "McAfee ePolicy Orchestrator (ePO) - OS Command Injection vulnerability"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "ePolicy Orchestrator (ePO)",
"version": {
"version_data": [
{
"affected": "\u003c",
"platform": "x86",
"version_affected": "\u003c",
"version_name": "5.1",
"version_value": "5.3.3"
},
{
"affected": "\u003c",
"platform": "x86",
"version_affected": "\u003c",
"version_name": "5.3",
"version_value": "5.3.3"
},
{
"affected": "\u003c",
"platform": "x86",
"version_affected": "\u003c",
"version_name": "5.9",
"version_value": "5.9.1"
}
]
}
}
]
},
"vendor_name": "McAfee"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "OS Command Injection vulnerability in McAfee ePolicy Orchestrator (ePO) 5.9.0, 5.3.2, 5.3.1, 5.1.3, 5.1.2, 5.1.1, and 5.1.0 allows attackers to run arbitrary OS commands with limited privileges via not sanitizing the user input data before exporting it into a CSV format output."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "OS Command Injection vulnerability"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "103155",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/103155"
},
{
"name": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10227",
"refsource": "CONFIRM",
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10227"
}
]
},
"source": {
"advisory": "SB10227",
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "01626437-bf8f-4d1c-912a-893b5eb04808",
"assignerShortName": "trellix",
"cveId": "CVE-2017-3936",
"datePublished": "2018-06-13T21:00:00",
"dateReserved": "2016-12-26T00:00:00",
"dateUpdated": "2024-08-05T14:39:41.148Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-6659 (GCVE-0-2018-6659)
Vulnerability from cvelistv5 – Published: 2018-04-02 17:00 – Updated: 2024-09-16 16:23
VLAI?
Summary
Reflected Cross-Site Scripting vulnerability in McAfee ePolicy Orchestrator (ePO) 5.3.2, 5.3.1, 5.3.0 and 5.9.0 allows remote authenticated users to exploit an XSS issue via not sanitizing the user input.
Severity ?
CWE
- Reflected Cross-Site Scripting vulnerability
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| McAfee | ePolicy Orchestrator (ePO) |
Affected:
5.3.2
Affected: 5.3.1 Affected: 5.3.0 Affected: 5.9.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T06:10:10.952Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "103392",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/103392"
},
{
"name": "1040884",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1040884"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10228"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ePolicy Orchestrator (ePO)",
"vendor": "McAfee",
"versions": [
{
"status": "affected",
"version": "5.3.2"
},
{
"status": "affected",
"version": "5.3.1"
},
{
"status": "affected",
"version": "5.3.0"
},
{
"status": "affected",
"version": "5.9.0"
}
]
}
],
"datePublic": "2018-03-09T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Reflected Cross-Site Scripting vulnerability in McAfee ePolicy Orchestrator (ePO) 5.3.2, 5.3.1, 5.3.0 and 5.9.0 allows remote authenticated users to exploit an XSS issue via not sanitizing the user input."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Reflected Cross-Site Scripting vulnerability",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-05-17T09:57:01",
"orgId": "01626437-bf8f-4d1c-912a-893b5eb04808",
"shortName": "trellix"
},
"references": [
{
"name": "103392",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/103392"
},
{
"name": "1040884",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1040884"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10228"
}
],
"source": {
"advisory": "SB10228",
"discovery": "EXTERNAL"
},
"title": "SB10228 ePO Reflected Cross-Site Scripting vulnerability",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@mcafee.com",
"DATE_PUBLIC": "2018-03-09T18:00:00.000Z",
"ID": "CVE-2018-6659",
"STATE": "PUBLIC",
"TITLE": "SB10228 ePO Reflected Cross-Site Scripting vulnerability"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "ePolicy Orchestrator (ePO)",
"version": {
"version_data": [
{
"affected": "=",
"version_affected": "=",
"version_name": "5.3.2",
"version_value": "5.3.2"
},
{
"affected": "=",
"version_affected": "=",
"version_name": "5.3.1",
"version_value": "5.3.1"
},
{
"affected": "=",
"version_affected": "=",
"version_name": "5.3.0",
"version_value": "5.3.0"
},
{
"affected": "=",
"version_affected": "=",
"version_name": "5.9.0",
"version_value": "5.9.0"
}
]
}
}
]
},
"vendor_name": "McAfee"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Reflected Cross-Site Scripting vulnerability in McAfee ePolicy Orchestrator (ePO) 5.3.2, 5.3.1, 5.3.0 and 5.9.0 allows remote authenticated users to exploit an XSS issue via not sanitizing the user input."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:L",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Reflected Cross-Site Scripting vulnerability"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "103392",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/103392"
},
{
"name": "1040884",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1040884"
},
{
"name": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10228",
"refsource": "CONFIRM",
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10228"
}
]
},
"source": {
"advisory": "SB10228",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "01626437-bf8f-4d1c-912a-893b5eb04808",
"assignerShortName": "trellix",
"cveId": "CVE-2018-6659",
"datePublished": "2018-04-02T17:00:00Z",
"dateReserved": "2018-02-06T00:00:00",
"dateUpdated": "2024-09-16T16:23:29.064Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-6660 (GCVE-0-2018-6660)
Vulnerability from cvelistv5 – Published: 2018-04-02 13:00 – Updated: 2024-09-16 22:40
VLAI?
Summary
Directory Traversal vulnerability in McAfee ePolicy Orchestrator (ePO) 5.3.2, 5.3.1, 5.3.0 and 5.9.0 allows administrators to use Windows alternate data streams, which could be used to bypass the file extensions, via not properly validating the path when exporting a particular XML file.
Severity ?
6.2 (Medium)
CWE
- Directory Traversal vulnerability
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| McAfee | ePolicy Orchestrator (ePO) |
Affected:
5.3.2
Affected: 5.3.1 Affected: 5.3.0 Affected: 5.9.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T06:10:11.322Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "103392",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/103392"
},
{
"name": "1040884",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1040884"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10228"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ePolicy Orchestrator (ePO)",
"vendor": "McAfee",
"versions": [
{
"status": "affected",
"version": "5.3.2"
},
{
"status": "affected",
"version": "5.3.1"
},
{
"status": "affected",
"version": "5.3.0"
},
{
"status": "affected",
"version": "5.9.0"
}
]
}
],
"datePublic": "2018-03-09T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Directory Traversal vulnerability in McAfee ePolicy Orchestrator (ePO) 5.3.2, 5.3.1, 5.3.0 and 5.9.0 allows administrators to use Windows alternate data streams, which could be used to bypass the file extensions, via not properly validating the path when exporting a particular XML file."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:L/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Directory Traversal vulnerability",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-05-17T09:57:01",
"orgId": "01626437-bf8f-4d1c-912a-893b5eb04808",
"shortName": "trellix"
},
"references": [
{
"name": "103392",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/103392"
},
{
"name": "1040884",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1040884"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10228"
}
],
"source": {
"advisory": "SB10228",
"discovery": "EXTERNAL"
},
"title": "SB10228 ePO Directory Traversal vulnerability",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@mcafee.com",
"DATE_PUBLIC": "2018-03-09T18:00:00.000Z",
"ID": "CVE-2018-6660",
"STATE": "PUBLIC",
"TITLE": "SB10228 ePO Directory Traversal vulnerability"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "ePolicy Orchestrator (ePO)",
"version": {
"version_data": [
{
"affected": "=",
"version_affected": "=",
"version_name": "5.3.2",
"version_value": "5.3.2"
},
{
"affected": "=",
"version_affected": "=",
"version_name": "5.3.1",
"version_value": "5.3.1"
},
{
"affected": "=",
"version_affected": "=",
"version_name": "5.3.0",
"version_value": "5.3.0"
},
{
"affected": "=",
"version_affected": "=",
"version_name": "5.9.0",
"version_value": "5.9.0"
}
]
}
}
]
},
"vendor_name": "McAfee"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Directory Traversal vulnerability in McAfee ePolicy Orchestrator (ePO) 5.3.2, 5.3.1, 5.3.0 and 5.9.0 allows administrators to use Windows alternate data streams, which could be used to bypass the file extensions, via not properly validating the path when exporting a particular XML file."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:L/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Directory Traversal vulnerability"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "103392",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/103392"
},
{
"name": "1040884",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1040884"
},
{
"name": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10228",
"refsource": "CONFIRM",
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10228"
}
]
},
"source": {
"advisory": "SB10228",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "01626437-bf8f-4d1c-912a-893b5eb04808",
"assignerShortName": "trellix",
"cveId": "CVE-2018-6660",
"datePublished": "2018-04-02T13:00:00Z",
"dateReserved": "2018-02-06T00:00:00",
"dateUpdated": "2024-09-16T22:40:52.250Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-3980 (GCVE-0-2017-3980)
Vulnerability from cvelistv5 – Published: 2017-05-18 19:00 – Updated: 2024-08-05 14:39
VLAI?
Summary
A directory traversal vulnerability in the ePO Extension in McAfee ePolicy Orchestrator (ePO) 5.9.0, 5.3.2, and 5.1.3 and earlier allows remote authenticated users to execute a command of their choice via an authenticated ePO session.
Severity ?
No CVSS data available.
CWE
- A directory traversal vulnerability
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| McAfee | ePolicy Orchestrator (ePO) |
Affected:
5.9.0 and earlier
Affected: 5.3.2 and earlier Affected: 5.1.3 and earlier |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T14:39:41.155Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "98559",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/98559"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10196"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ePolicy Orchestrator (ePO)",
"vendor": "McAfee",
"versions": [
{
"status": "affected",
"version": "5.9.0 and earlier"
},
{
"status": "affected",
"version": "5.3.2 and earlier"
},
{
"status": "affected",
"version": "5.1.3 and earlier"
}
]
}
],
"datePublic": "2017-05-18T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A directory traversal vulnerability in the ePO Extension in McAfee ePolicy Orchestrator (ePO) 5.9.0, 5.3.2, and 5.1.3 and earlier allows remote authenticated users to execute a command of their choice via an authenticated ePO session."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "A directory traversal vulnerability",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-05-24T09:57:01",
"orgId": "6dda929c-bb53-4a77-a76d-48e79601a1ce",
"shortName": "intel"
},
"references": [
{
"name": "98559",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/98559"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10196"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secure@intel.com",
"ID": "CVE-2017-3980",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "ePolicy Orchestrator (ePO)",
"version": {
"version_data": [
{
"version_value": "5.9.0 and earlier"
},
{
"version_value": "5.3.2 and earlier"
},
{
"version_value": "5.1.3 and earlier"
}
]
}
}
]
},
"vendor_name": "McAfee"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A directory traversal vulnerability in the ePO Extension in McAfee ePolicy Orchestrator (ePO) 5.9.0, 5.3.2, and 5.1.3 and earlier allows remote authenticated users to execute a command of their choice via an authenticated ePO session."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "A directory traversal vulnerability"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "98559",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/98559"
},
{
"name": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10196",
"refsource": "CONFIRM",
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10196"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6dda929c-bb53-4a77-a76d-48e79601a1ce",
"assignerShortName": "intel",
"cveId": "CVE-2017-3980",
"datePublished": "2017-05-18T19:00:00",
"dateReserved": "2016-12-26T00:00:00",
"dateUpdated": "2024-08-05T14:39:41.155Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-6672 (GCVE-0-2018-6672)
Vulnerability from nvd – Published: 2018-06-15 14:00 – Updated: 2024-08-05 06:10
VLAI?
Summary
Information disclosure vulnerability in McAfee ePolicy Orchestrator (ePO) 5.3.0 through 5.3.3 and 5.9.0 through 5.9.1 allows authenticated users to view sensitive information in plain text format via unspecified vectors.
Severity ?
5.7 (Medium)
CWE
- Information disclosure vulnerability
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| McAfee | ePolicy Orchestrator (ePO) |
Affected:
5.3.0 through 5.3.3 , < 5.3.3 with hotfix EPO5xHF1229850
(custom)
Affected: 5.9.0 through 5.9.1 , < 5.9.1 with hotfix EPO5xHF1229850 (custom) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T06:10:11.360Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "104485",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/104485"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10240"
},
{
"name": "1041155",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1041155"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ePolicy Orchestrator (ePO)",
"vendor": "McAfee",
"versions": [
{
"lessThan": "5.3.3 with hotfix EPO5xHF1229850",
"status": "affected",
"version": "5.3.0 through 5.3.3",
"versionType": "custom"
},
{
"lessThan": "5.9.1 with hotfix EPO5xHF1229850",
"status": "affected",
"version": "5.9.0 through 5.9.1",
"versionType": "custom"
}
]
}
],
"datePublic": "2018-06-14T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Information disclosure vulnerability in McAfee ePolicy Orchestrator (ePO) 5.3.0 through 5.3.3 and 5.9.0 through 5.9.1 allows authenticated users to view sensitive information in plain text format via unspecified vectors."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information disclosure vulnerability",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-06-24T09:57:01",
"orgId": "01626437-bf8f-4d1c-912a-893b5eb04808",
"shortName": "trellix"
},
"references": [
{
"name": "104485",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/104485"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10240"
},
{
"name": "1041155",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1041155"
}
],
"source": {
"advisory": "SB10240",
"discovery": "INTERNAL"
},
"title": "SB10240 - ePolicy Orchestrator (ePO) - Information disclosure vulnerablity",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@mcafee.com",
"ID": "CVE-2018-6672",
"STATE": "PUBLIC",
"TITLE": "SB10240 - ePolicy Orchestrator (ePO) - Information disclosure vulnerablity"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "ePolicy Orchestrator (ePO)",
"version": {
"version_data": [
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "5.3.0 through 5.3.3",
"version_value": "5.3.3 with hotfix EPO5xHF1229850"
},
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "5.9.0 through 5.9.1",
"version_value": "5.9.1 with hotfix EPO5xHF1229850"
}
]
}
}
]
},
"vendor_name": "McAfee"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Information disclosure vulnerability in McAfee ePolicy Orchestrator (ePO) 5.3.0 through 5.3.3 and 5.9.0 through 5.9.1 allows authenticated users to view sensitive information in plain text format via unspecified vectors."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information disclosure vulnerability"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "104485",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/104485"
},
{
"name": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10240",
"refsource": "CONFIRM",
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10240"
},
{
"name": "1041155",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1041155"
}
]
},
"source": {
"advisory": "SB10240",
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "01626437-bf8f-4d1c-912a-893b5eb04808",
"assignerShortName": "trellix",
"cveId": "CVE-2018-6672",
"datePublished": "2018-06-15T14:00:00",
"dateReserved": "2018-02-06T00:00:00",
"dateUpdated": "2024-08-05T06:10:11.360Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-6671 (GCVE-0-2018-6671)
Vulnerability from nvd – Published: 2018-06-15 14:00 – Updated: 2024-08-05 06:10
VLAI?
Summary
Application Protection Bypass vulnerability in McAfee ePolicy Orchestrator (ePO) 5.3.0 through 5.3.3 and 5.9.0 through 5.9.1 allows remote authenticated users to bypass localhost only access security protection for some ePO features via a specially crafted HTTP request.
Severity ?
4.7 (Medium)
CWE
- Application Protection Bypass vulnerability
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| McAfee | ePolicy Orchestrator (ePO) |
Affected:
5.3.0 through 5.3.3 , < 5.3.3 with hotfix EPO5xHF1229850
(custom)
Affected: 5.9.0 through 5.9.1 , < 5.9.1 with hotfix EPO5xHF1229850 (custom) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T06:10:11.361Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "104485",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/104485"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10240"
},
{
"name": "46518",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/46518/"
},
{
"name": "1041155",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1041155"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ePolicy Orchestrator (ePO)",
"vendor": "McAfee",
"versions": [
{
"lessThan": "5.3.3 with hotfix EPO5xHF1229850",
"status": "affected",
"version": "5.3.0 through 5.3.3",
"versionType": "custom"
},
{
"lessThan": "5.9.1 with hotfix EPO5xHF1229850",
"status": "affected",
"version": "5.9.0 through 5.9.1",
"versionType": "custom"
}
]
}
],
"datePublic": "2018-06-14T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Application Protection Bypass vulnerability in McAfee ePolicy Orchestrator (ePO) 5.3.0 through 5.3.3 and 5.9.0 through 5.9.1 allows remote authenticated users to bypass localhost only access security protection for some ePO features via a specially crafted HTTP request."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Application Protection Bypass vulnerability\n",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-03-09T10:57:01",
"orgId": "01626437-bf8f-4d1c-912a-893b5eb04808",
"shortName": "trellix"
},
"references": [
{
"name": "104485",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/104485"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10240"
},
{
"name": "46518",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/46518/"
},
{
"name": "1041155",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1041155"
}
],
"source": {
"advisory": "SB10240",
"discovery": "INTERNAL"
},
"title": "SB10240 - ePolicy Orchestrator (ePO) - Application Protection Bypass vulnerability",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@mcafee.com",
"ID": "CVE-2018-6671",
"STATE": "PUBLIC",
"TITLE": "SB10240 - ePolicy Orchestrator (ePO) - Application Protection Bypass vulnerability"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "ePolicy Orchestrator (ePO)",
"version": {
"version_data": [
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "5.3.0 through 5.3.3",
"version_value": "5.3.3 with hotfix EPO5xHF1229850"
},
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "5.9.0 through 5.9.1",
"version_value": "5.9.1 with hotfix EPO5xHF1229850"
}
]
}
}
]
},
"vendor_name": "McAfee"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Application Protection Bypass vulnerability in McAfee ePolicy Orchestrator (ePO) 5.3.0 through 5.3.3 and 5.9.0 through 5.9.1 allows remote authenticated users to bypass localhost only access security protection for some ePO features via a specially crafted HTTP request."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Application Protection Bypass vulnerability\n"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "104485",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/104485"
},
{
"name": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10240",
"refsource": "CONFIRM",
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10240"
},
{
"name": "46518",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/46518/"
},
{
"name": "1041155",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1041155"
}
]
},
"source": {
"advisory": "SB10240",
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "01626437-bf8f-4d1c-912a-893b5eb04808",
"assignerShortName": "trellix",
"cveId": "CVE-2018-6671",
"datePublished": "2018-06-15T14:00:00",
"dateReserved": "2018-02-06T00:00:00",
"dateUpdated": "2024-08-05T06:10:11.361Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-3936 (GCVE-0-2017-3936)
Vulnerability from nvd – Published: 2018-06-13 21:00 – Updated: 2024-08-05 14:39
VLAI?
Summary
OS Command Injection vulnerability in McAfee ePolicy Orchestrator (ePO) 5.9.0, 5.3.2, 5.3.1, 5.1.3, 5.1.2, 5.1.1, and 5.1.0 allows attackers to run arbitrary OS commands with limited privileges via not sanitizing the user input data before exporting it into a CSV format output.
Severity ?
6.2 (Medium)
CWE
- OS Command Injection vulnerability
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| McAfee | ePolicy Orchestrator (ePO) |
Affected:
5.1 , < 5.3.3
(custom)
Affected: 5.3 , < 5.3.3 (custom) Affected: 5.9 , < 5.9.1 (custom) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T14:39:41.148Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "103155",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/103155"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10227"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"platforms": [
"x86"
],
"product": "ePolicy Orchestrator (ePO)",
"vendor": "McAfee",
"versions": [
{
"lessThan": "5.3.3",
"status": "affected",
"version": "5.1",
"versionType": "custom"
},
{
"lessThan": "5.3.3",
"status": "affected",
"version": "5.3",
"versionType": "custom"
},
{
"lessThan": "5.9.1",
"status": "affected",
"version": "5.9",
"versionType": "custom"
}
]
}
],
"datePublic": "2018-02-23T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "OS Command Injection vulnerability in McAfee ePolicy Orchestrator (ePO) 5.9.0, 5.3.2, 5.3.1, 5.1.3, 5.1.2, 5.1.1, and 5.1.0 allows attackers to run arbitrary OS commands with limited privileges via not sanitizing the user input data before exporting it into a CSV format output."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "OS Command Injection vulnerability",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-06-14T09:57:01",
"orgId": "01626437-bf8f-4d1c-912a-893b5eb04808",
"shortName": "trellix"
},
"references": [
{
"name": "103155",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/103155"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10227"
}
],
"source": {
"advisory": "SB10227",
"discovery": "INTERNAL"
},
"title": "McAfee ePolicy Orchestrator (ePO) - OS Command Injection vulnerability",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@mcafee.com",
"ID": "CVE-2017-3936",
"STATE": "PUBLIC",
"TITLE": "McAfee ePolicy Orchestrator (ePO) - OS Command Injection vulnerability"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "ePolicy Orchestrator (ePO)",
"version": {
"version_data": [
{
"affected": "\u003c",
"platform": "x86",
"version_affected": "\u003c",
"version_name": "5.1",
"version_value": "5.3.3"
},
{
"affected": "\u003c",
"platform": "x86",
"version_affected": "\u003c",
"version_name": "5.3",
"version_value": "5.3.3"
},
{
"affected": "\u003c",
"platform": "x86",
"version_affected": "\u003c",
"version_name": "5.9",
"version_value": "5.9.1"
}
]
}
}
]
},
"vendor_name": "McAfee"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "OS Command Injection vulnerability in McAfee ePolicy Orchestrator (ePO) 5.9.0, 5.3.2, 5.3.1, 5.1.3, 5.1.2, 5.1.1, and 5.1.0 allows attackers to run arbitrary OS commands with limited privileges via not sanitizing the user input data before exporting it into a CSV format output."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "OS Command Injection vulnerability"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "103155",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/103155"
},
{
"name": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10227",
"refsource": "CONFIRM",
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10227"
}
]
},
"source": {
"advisory": "SB10227",
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "01626437-bf8f-4d1c-912a-893b5eb04808",
"assignerShortName": "trellix",
"cveId": "CVE-2017-3936",
"datePublished": "2018-06-13T21:00:00",
"dateReserved": "2016-12-26T00:00:00",
"dateUpdated": "2024-08-05T14:39:41.148Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-6659 (GCVE-0-2018-6659)
Vulnerability from nvd – Published: 2018-04-02 17:00 – Updated: 2024-09-16 16:23
VLAI?
Summary
Reflected Cross-Site Scripting vulnerability in McAfee ePolicy Orchestrator (ePO) 5.3.2, 5.3.1, 5.3.0 and 5.9.0 allows remote authenticated users to exploit an XSS issue via not sanitizing the user input.
Severity ?
CWE
- Reflected Cross-Site Scripting vulnerability
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| McAfee | ePolicy Orchestrator (ePO) |
Affected:
5.3.2
Affected: 5.3.1 Affected: 5.3.0 Affected: 5.9.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T06:10:10.952Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "103392",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/103392"
},
{
"name": "1040884",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1040884"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10228"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ePolicy Orchestrator (ePO)",
"vendor": "McAfee",
"versions": [
{
"status": "affected",
"version": "5.3.2"
},
{
"status": "affected",
"version": "5.3.1"
},
{
"status": "affected",
"version": "5.3.0"
},
{
"status": "affected",
"version": "5.9.0"
}
]
}
],
"datePublic": "2018-03-09T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Reflected Cross-Site Scripting vulnerability in McAfee ePolicy Orchestrator (ePO) 5.3.2, 5.3.1, 5.3.0 and 5.9.0 allows remote authenticated users to exploit an XSS issue via not sanitizing the user input."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Reflected Cross-Site Scripting vulnerability",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-05-17T09:57:01",
"orgId": "01626437-bf8f-4d1c-912a-893b5eb04808",
"shortName": "trellix"
},
"references": [
{
"name": "103392",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/103392"
},
{
"name": "1040884",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1040884"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10228"
}
],
"source": {
"advisory": "SB10228",
"discovery": "EXTERNAL"
},
"title": "SB10228 ePO Reflected Cross-Site Scripting vulnerability",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@mcafee.com",
"DATE_PUBLIC": "2018-03-09T18:00:00.000Z",
"ID": "CVE-2018-6659",
"STATE": "PUBLIC",
"TITLE": "SB10228 ePO Reflected Cross-Site Scripting vulnerability"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "ePolicy Orchestrator (ePO)",
"version": {
"version_data": [
{
"affected": "=",
"version_affected": "=",
"version_name": "5.3.2",
"version_value": "5.3.2"
},
{
"affected": "=",
"version_affected": "=",
"version_name": "5.3.1",
"version_value": "5.3.1"
},
{
"affected": "=",
"version_affected": "=",
"version_name": "5.3.0",
"version_value": "5.3.0"
},
{
"affected": "=",
"version_affected": "=",
"version_name": "5.9.0",
"version_value": "5.9.0"
}
]
}
}
]
},
"vendor_name": "McAfee"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Reflected Cross-Site Scripting vulnerability in McAfee ePolicy Orchestrator (ePO) 5.3.2, 5.3.1, 5.3.0 and 5.9.0 allows remote authenticated users to exploit an XSS issue via not sanitizing the user input."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:L",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Reflected Cross-Site Scripting vulnerability"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "103392",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/103392"
},
{
"name": "1040884",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1040884"
},
{
"name": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10228",
"refsource": "CONFIRM",
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10228"
}
]
},
"source": {
"advisory": "SB10228",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "01626437-bf8f-4d1c-912a-893b5eb04808",
"assignerShortName": "trellix",
"cveId": "CVE-2018-6659",
"datePublished": "2018-04-02T17:00:00Z",
"dateReserved": "2018-02-06T00:00:00",
"dateUpdated": "2024-09-16T16:23:29.064Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-6660 (GCVE-0-2018-6660)
Vulnerability from nvd – Published: 2018-04-02 13:00 – Updated: 2024-09-16 22:40
VLAI?
Summary
Directory Traversal vulnerability in McAfee ePolicy Orchestrator (ePO) 5.3.2, 5.3.1, 5.3.0 and 5.9.0 allows administrators to use Windows alternate data streams, which could be used to bypass the file extensions, via not properly validating the path when exporting a particular XML file.
Severity ?
6.2 (Medium)
CWE
- Directory Traversal vulnerability
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| McAfee | ePolicy Orchestrator (ePO) |
Affected:
5.3.2
Affected: 5.3.1 Affected: 5.3.0 Affected: 5.9.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T06:10:11.322Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "103392",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/103392"
},
{
"name": "1040884",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1040884"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10228"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ePolicy Orchestrator (ePO)",
"vendor": "McAfee",
"versions": [
{
"status": "affected",
"version": "5.3.2"
},
{
"status": "affected",
"version": "5.3.1"
},
{
"status": "affected",
"version": "5.3.0"
},
{
"status": "affected",
"version": "5.9.0"
}
]
}
],
"datePublic": "2018-03-09T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Directory Traversal vulnerability in McAfee ePolicy Orchestrator (ePO) 5.3.2, 5.3.1, 5.3.0 and 5.9.0 allows administrators to use Windows alternate data streams, which could be used to bypass the file extensions, via not properly validating the path when exporting a particular XML file."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:L/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Directory Traversal vulnerability",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-05-17T09:57:01",
"orgId": "01626437-bf8f-4d1c-912a-893b5eb04808",
"shortName": "trellix"
},
"references": [
{
"name": "103392",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/103392"
},
{
"name": "1040884",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1040884"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10228"
}
],
"source": {
"advisory": "SB10228",
"discovery": "EXTERNAL"
},
"title": "SB10228 ePO Directory Traversal vulnerability",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@mcafee.com",
"DATE_PUBLIC": "2018-03-09T18:00:00.000Z",
"ID": "CVE-2018-6660",
"STATE": "PUBLIC",
"TITLE": "SB10228 ePO Directory Traversal vulnerability"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "ePolicy Orchestrator (ePO)",
"version": {
"version_data": [
{
"affected": "=",
"version_affected": "=",
"version_name": "5.3.2",
"version_value": "5.3.2"
},
{
"affected": "=",
"version_affected": "=",
"version_name": "5.3.1",
"version_value": "5.3.1"
},
{
"affected": "=",
"version_affected": "=",
"version_name": "5.3.0",
"version_value": "5.3.0"
},
{
"affected": "=",
"version_affected": "=",
"version_name": "5.9.0",
"version_value": "5.9.0"
}
]
}
}
]
},
"vendor_name": "McAfee"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Directory Traversal vulnerability in McAfee ePolicy Orchestrator (ePO) 5.3.2, 5.3.1, 5.3.0 and 5.9.0 allows administrators to use Windows alternate data streams, which could be used to bypass the file extensions, via not properly validating the path when exporting a particular XML file."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:L/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Directory Traversal vulnerability"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "103392",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/103392"
},
{
"name": "1040884",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1040884"
},
{
"name": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10228",
"refsource": "CONFIRM",
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10228"
}
]
},
"source": {
"advisory": "SB10228",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "01626437-bf8f-4d1c-912a-893b5eb04808",
"assignerShortName": "trellix",
"cveId": "CVE-2018-6660",
"datePublished": "2018-04-02T13:00:00Z",
"dateReserved": "2018-02-06T00:00:00",
"dateUpdated": "2024-09-16T22:40:52.250Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-3980 (GCVE-0-2017-3980)
Vulnerability from nvd – Published: 2017-05-18 19:00 – Updated: 2024-08-05 14:39
VLAI?
Summary
A directory traversal vulnerability in the ePO Extension in McAfee ePolicy Orchestrator (ePO) 5.9.0, 5.3.2, and 5.1.3 and earlier allows remote authenticated users to execute a command of their choice via an authenticated ePO session.
Severity ?
No CVSS data available.
CWE
- A directory traversal vulnerability
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| McAfee | ePolicy Orchestrator (ePO) |
Affected:
5.9.0 and earlier
Affected: 5.3.2 and earlier Affected: 5.1.3 and earlier |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T14:39:41.155Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "98559",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/98559"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10196"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ePolicy Orchestrator (ePO)",
"vendor": "McAfee",
"versions": [
{
"status": "affected",
"version": "5.9.0 and earlier"
},
{
"status": "affected",
"version": "5.3.2 and earlier"
},
{
"status": "affected",
"version": "5.1.3 and earlier"
}
]
}
],
"datePublic": "2017-05-18T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A directory traversal vulnerability in the ePO Extension in McAfee ePolicy Orchestrator (ePO) 5.9.0, 5.3.2, and 5.1.3 and earlier allows remote authenticated users to execute a command of their choice via an authenticated ePO session."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "A directory traversal vulnerability",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-05-24T09:57:01",
"orgId": "6dda929c-bb53-4a77-a76d-48e79601a1ce",
"shortName": "intel"
},
"references": [
{
"name": "98559",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/98559"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10196"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secure@intel.com",
"ID": "CVE-2017-3980",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "ePolicy Orchestrator (ePO)",
"version": {
"version_data": [
{
"version_value": "5.9.0 and earlier"
},
{
"version_value": "5.3.2 and earlier"
},
{
"version_value": "5.1.3 and earlier"
}
]
}
}
]
},
"vendor_name": "McAfee"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A directory traversal vulnerability in the ePO Extension in McAfee ePolicy Orchestrator (ePO) 5.9.0, 5.3.2, and 5.1.3 and earlier allows remote authenticated users to execute a command of their choice via an authenticated ePO session."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "A directory traversal vulnerability"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "98559",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/98559"
},
{
"name": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10196",
"refsource": "CONFIRM",
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10196"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6dda929c-bb53-4a77-a76d-48e79601a1ce",
"assignerShortName": "intel",
"cveId": "CVE-2017-3980",
"datePublished": "2017-05-18T19:00:00",
"dateReserved": "2016-12-26T00:00:00",
"dateUpdated": "2024-08-05T14:39:41.155Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}