CVE-2015-0921
https://notcve.org/view.php?id=CVE-2015-0921
XML external entity (XXE) vulnerability in the Server Task Log in McAfee ePolicy Orchestrator (ePO) before 4.6.9 and 5.x before 5.1.2 allows remote authenticated users to read arbitrary files via the conditionXML parameter to the taskLogTable to orionUpdateTableFilter.do. Vulnerabilidad de entidad externa XML (XXE) en el registro Server Task en McAfee ePolicy Orchestrator (ePO) anterior a 4.6.9 y 5.x anterior a 5.1.2 permite a usuarios remotos autenticados leer ficheros arbitrarios a través del parámetro conditionXML en taskLogTable en orionUpdateTableFilter.do. • http://packetstormsecurity.com/files/129827/McAfee-ePolicy-Orchestrator-Authenticated-XXE-Credential-Exposure.html http://seclists.org/fulldisclosure/2015/Jan/37 http://seclists.org/fulldisclosure/2015/Jan/8 http://secunia.com/advisories/61922 http://www.securitytracker.com/id/1031519 https://exchange.xforce.ibmcloud.com/vulnerabilities/99950 https://gist.github.com/brandonprry/692e553975bf29aeaf2c https://kc.mcafee.com/corporate/index?page=content&id=SB10095 https://seclists.org/fulldisclosure/2015/Jan/8 •
CVE-2015-0922
https://notcve.org/view.php?id=CVE-2015-0922
McAfee ePolicy Orchestrator (ePO) before 4.6.9 and 5.x before 5.1.2 uses the same secret key across different customers' installations, which allows attackers to obtain the administrator password by leveraging knowledge of the encrypted password. McAfee ePolicy Orchestrator (ePO) anterior a 4.6.9 y 5.x anterior a 5.1.2 utiliza la misma clave en diferentes instalaciones para clientes, lo que permite a atacantes obtener la contraseña de administradores mediante el aprovechamiento del conocimiento de la contraseña cifrada. • http://packetstormsecurity.com/files/129827/McAfee-ePolicy-Orchestrator-Authenticated-XXE-Credential-Exposure.html http://seclists.org/fulldisclosure/2015/Jan/37 http://seclists.org/fulldisclosure/2015/Jan/8 http://www.securityfocus.com/bid/72298 http://www.securitytracker.com/id/1031519 https://exchange.xforce.ibmcloud.com/vulnerabilities/99949 https://gist.github.com/brandonprry/692e553975bf29aeaf2c https://kc.mcafee.com/corporate/index?page=content&id=SB10095 https://seclists.org/fulldisclosure/2015/Jan/8 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2014-2205
https://notcve.org/view.php?id=CVE-2014-2205
The Import and Export Framework in McAfee ePolicy Orchestrator (ePO) before 4.6.7 Hotfix 940148 allows remote authenticated users with permissions to add dashboards to read arbitrary files by importing a crafted XML file, related to an XML External Entity (XXE) issue. El Framework Import and Export en McAfee ePolicy Orchestrator (ePO) anterior a 4.6.7 Hotfix 940148 permite a usuarios remotos autenticados con permisos para añadir cuadros de mando leer archivos arbitrarios mediante la importación de un archivo XML manipilado, relacionado con un problema de XML External Entity (XXE). • http://secunia.com/advisories/57114 http://www.securityfocus.com/archive/1/531255/100/0/threaded http://www.securityfocus.com/bid/65771 https://kc.mcafee.com/corporate/index?page=content&id=SB10065 https://www.redteam-pentesting.de/advisories/rt-sa-2014-001.txt • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2013-4883 – McAfee ePO 4.6.6 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2013-4883
Multiple cross-site scripting (XSS) vulnerabilities in McAfee ePolicy Orchestrator 4.6.6 and earlier, and the ePO Extension for the McAfee Agent (MA) 4.5 through 4.6, allow remote attackers to inject arbitrary web script or HTML via the (1) instanceId parameter core/loadDisplayType.do; (2) instanceId or (3) monitorUrl parameter to console/createDashboardContainer.do; uid parameter to (4) ComputerMgmt/sysDetPanelBoolPie.do or (5) ComputerMgmt/sysDetPanelSummary.do; (6) uid, (7) orion.user.security.token, or (8) ajaxMode parameter to ComputerMgmt/sysDetPanelQry.do; or (9) uid, (10) orion.user.security.token, or (11) ajaxMode parameter to ComputerMgmt/sysDetPanelSummary.do. Múltiples vulnerabilidades XSS en McAfee ePolicy Orchestrator 4.6.6 y anteriores, y el ePO Extension para McAfee Agent (MA) 4.5 a la 4.6, permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarias a través del parámetro (1) instanceId a core/loadDisplayType.do; del parámetro (2) instanceId o (3) monitorUrl a console/createDashboardContainer.do; del parámetro uid a (4) ComputerMgmt/sysDetPanelBoolPie.do o (5) ComputerMgmt/sysDetPanelSummary.do; (6) uid, (7) orion.user.security.token, o del parámetro(8) ajaxMode a ComputerMgmt/sysDetPanelQry.do; o (9) uid, (10) orion.user.security.token, o del parámetro (11) ajaxMode a ComputerMgmt/sysDetPanelSummary.do. • https://www.exploit-db.com/exploits/26807 http://osvdb.org/95187 http://osvdb.org/95188 http://osvdb.org/95189 http://osvdb.org/95190 http://osvdb.org/95191 http://www.securityfocus.com/archive/1/527228 http://www.securitytracker.com/id/1028803 https://kc.mcafee.com/corporate/index?page=content&id=KB78824 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2013-4882 – McAfee ePO 4.6.6 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2013-4882
Multiple SQL injection vulnerabilities in McAfee ePolicy Orchestrator 4.6.6 and earlier, and the ePolicy Orchestrator (ePO) extension for McAfee Agent (MA) 4.5 and 4.6, allow remote authenticated users to execute arbitrary SQL commands via the uid parameter to (1) core/showRegisteredTypeDetails.do and (2) EPOAGENTMETA/DisplayMSAPropsDetail.do, a different vulnerability than CVE-2013-0140. Vulnerabilidad de inyección SQL en McAfee ePolicy Orchestrator 4.6.6 y anteriores, y el ePO Extension (ePO) para McAfee Agent (MA) 4.5 a la 4.6, permite a usuarios autenticados remotamente ejecutar comandos SQL arbitrarios a través del parámetro (1) core/showRegisteredTypeDetails.do y (2) EPOAGENTMETA/DisplayMSAPropsDetail.do. Vulnerabilidad distinta de CVE-2013-0140. • https://www.exploit-db.com/exploits/26807 http://www.securityfocus.com/archive/1/527228 http://www.securitytracker.com/id/1028803 https://kc.mcafee.com/corporate/index?page=content&id=SB10043 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •