CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2021-23879 – Unquoted service path vulnerability in McAfee Endpoint Product Removal (EPR) Tool prior to 21.2 allows local administrators to execute arbitrary code, with higher-level privileges, via execution from a compromised folder. The tool did not enforce and ...
https://notcve.org/view.php?id=CVE-2021-23879
Unquoted service path vulnerability in McAfee Endpoint Product Removal (EPR) Tool prior to 21.2 allows local administrators to execute arbitrary code, with higher-level privileges, via execution from a compromised folder. The tool did not enforce and protect the execution path. Local admin privileges are required to place the files in the required location. Una vulnerabilidad de ruta de servicio no citada en la herramienta McAfee Endpoint Product Removal (EPR) versiones anteriores a 21.2, permite a administradores locales ejecutar código arbitrario, con privilegios de nivel superior, por medio de una ejecución desde una carpeta comprometida. La herramienta no aplicó ni protegió la ruta de ejecución. • https://kc.mcafee.com/corporate/index?page=content&id=SB10351 • CWE-428: Unquoted Search Path or Element •
CVSS: 9.0EPSS: 0%CPEs: 3EXPL: 0CVE-2021-23885 – Privilege escalation vulnerability in McAfee Web Gateway (MWG) UI
https://notcve.org/view.php?id=CVE-2021-23885
Privilege escalation vulnerability in McAfee Web Gateway (MWG) prior to 9.2.8 allows an authenticated user to gain elevated privileges through the User Interface and execute commands on the appliance via incorrect improper neutralization of user input in the troubleshooting page. Una vulnerabilidad de escalada de privilegios en McAfee Web Gateway (MWG) versiones anteriores a 9.2.8, permite a un usuario autenticado alcanzar privilegios elevados por medio de la interfaz de usuario y ejecutar comandos en el dispositivo por medio de la neutralización inapropiada e incorrecta de la entrada del usuario en la página de solución de problemas • https://kc.mcafee.com/corporate/index?page=content&id=SB10349 • CWE-269: Improper Privilege Management •
CVSS: 7.5EPSS: 0%CPEs: 67EXPL: 0CVE-2021-23840 – Integer overflow in CipherUpdate
https://notcve.org/view.php?id=CVE-2021-23840
Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. • https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=6a51b9e1d0cf0bf8515f7201b68fb0a3482b3dc1 https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=9b1129239f3ebb1d1c98ce9ed41d5c9476c47cb2 https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846 https://kc.mcafee.com/corporate/index?page=content&id=SB10366 https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E https:/ • CWE-190: Integer Overflow or Wraparound •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-23881 – Stored Cross Site Scripting in ENS
https://notcve.org/view.php?id=CVE-2021-23881
A stored cross site scripting vulnerability in ePO extension of McAfee Endpoint Security (ENS) prior to 10.7.0 February 2021 Update allows an ENS ePO administrator to add a script to a policy event which will trigger the script to be run through a browser block page when a local non-administrator user triggers the policy. Una vulnerabilidad de tipo cross site scripting almacenado en la extensión ePO de McAfee Endpoint Security (ENS) versiones anteriores a 10.7.0 actualización de Febrero de 2021, permite a un administrador de ePO de ENS agregar un script a un evento de política que desencadenará el script para que sea ejecutado mediante una página de bloqueo del navegador cuando un usuario local que no es administrador activa la política • https://kc.mcafee.com/corporate/index?page=content&id=SB10345 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.2EPSS: 0%CPEs: 1EXPL: 0CVE-2021-23874 – McAfee Total Protection (MTP) Improper Privilege Management Vulnerability
https://notcve.org/view.php?id=CVE-2021-23874
Arbitrary Process Execution vulnerability in McAfee Total Protection (MTP) prior to 16.0.30 allows a local user to gain elevated privileges and execute arbitrary code bypassing MTP self-defense. Una vulnerabilidad de ejecución arbitraria de procesos en McAfee Total Protection (MTP) versiones anteriores a 16.0.30, permite a un usuario local alcanzar privilegios elevados y ejecutar código arbitrario omitiendo la autodefensa de MTP McAfee Total Protection (MTP) contains an improper privilege management vulnerability that allows a local user to gain elevated privileges and execute code, bypassing MTP self-defense. • http://service.mcafee.com/FAQDocument.aspx?&id=TS103114 • CWE-269: Improper Privilege Management CWE-732: Incorrect Permission Assignment for Critical Resource •