PT-2013-5260 · Mcafee · Mcafee Epolicy Orchestrator+1
Publicado
2013-07-21
·
Atualizado
2013-08-22
·
CVE-2013-4883
CVSS v2.0
4.3
Média
| Vetor | AV:N/AC:M/Au:N/C:N/I:P/A:N |
Name of the Vulnerable Software and Affected Versions
McAfee ePolicy Orchestrator versions 4.6.6 and earlier
McAfee ePO Extension for the McAfee Agent versions 4.5 through 4.6
Description
The issue allows remote attackers to inject arbitrary web script or HTML via several parameters, including
instanceId, monitorUrl, uid, orion.user.security.token, and ajaxMode, in various API endpoints such as "core/loadDisplayType.do", "console/createDashboardContainer.do", "ComputerMgmt/sysDetPanelBoolPie.do", "ComputerMgmt/sysDetPanelSummary.do", "ComputerMgmt/sysDetPanelQry.do".Recommendations
For McAfee ePolicy Orchestrator versions 4.6.6 and earlier, update to a version later than 4.6.6.
For McAfee ePO Extension for the McAfee Agent versions 4.5 through 4.6, update to a version later than 4.6.
As a temporary workaround, consider restricting access to the vulnerable API endpoints, such as "core/loadDisplayType.do", "console/createDashboardContainer.do", "ComputerMgmt/sysDetPanelBoolPie.do", "ComputerMgmt/sysDetPanelSummary.do", "ComputerMgmt/sysDetPanelQry.do", until a patch is available.
Avoid using the vulnerable parameters
instanceId, monitorUrl, uid, orion.user.security.token, and ajaxMode in the affected API endpoints until the issue is resolved.Exploit
Correção
XSS
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Mcafee Epo Extension For The Mcafee Agent
Mcafee Epolicy Orchestrator