CVE-2013-4883

Name of the Vulnerable Software and Affected Versions McAfee ePolicy Orchestrator versions 4.6.6 and earlier McAfee ePO Extension for the McAfee Agent versions 4.5 through 4.6

Description The issue allows remote attackers to inject arbitrary web script or HTML via several parameters, including instanceId, monitorUrl, uid, orion.user.security.token, and ajaxMode, in various API endpoints such as "core/loadDisplayType.do", "console/createDashboardContainer.do", "ComputerMgmt/sysDetPanelBoolPie.do", "ComputerMgmt/sysDetPanelSummary.do", "ComputerMgmt/sysDetPanelQry.do".

Recommendations For McAfee ePolicy Orchestrator versions 4.6.6 and earlier, update to a version later than 4.6.6. For McAfee ePO Extension for the McAfee Agent versions 4.5 through 4.6, update to a version later than 4.6. As a temporary workaround, consider restricting access to the vulnerable API endpoints, such as "core/loadDisplayType.do", "console/createDashboardContainer.do", "ComputerMgmt/sysDetPanelBoolPie.do", "ComputerMgmt/sysDetPanelSummary.do", "ComputerMgmt/sysDetPanelQry.do", until a patch is available. Avoid using the vulnerable parameters instanceId, monitorUrl, uid, orion.user.security.token, and ajaxMode in the affected API endpoints until the issue is resolved.