CVE-2020-7318

Name of the Vulnerable Software and Affected Versions: McAfee ePolicy Orchestrator versions prior to 5.10.9 Update 9

Description: The issue allows administrators to inject arbitrary web script or HTML via multiple parameters where the administrator's entries were not correctly sanitized. This can lead to a Cross-Site Scripting attack. The vulnerability is related to the lack of protection of the web page structure, which can be exploited by a remote attacker to perform a Cross-Site Scripting attack.

Recommendations: For versions prior to 5.10.9 Update 9, update to version 5.10.9 Update 9 or later to resolve the issue. As a temporary workaround, consider restricting access to the syncPointList parameter to minimize the risk of exploitation. Avoid using the syncPointList parameter in the affected API endpoint until the issue is resolved. Restrict access to the /PolicyMgmt/policyDetailsCard.do endpoint to minimize the risk of exploitation.