CVSS: 5.4EPSS: 0%CPEs: 14EXPL: 0CVE-2022-0842 – ePO blind SQL Injection vulnerability
https://notcve.org/view.php?id=CVE-2022-0842
23 Mar 2022 — A blind SQL injection vulnerability in McAfee Enterprise ePolicy Orchestrator (ePO) prior to 5.10 Update 13 allows a remote authenticated attacker to potentially obtain information from the ePO database. The data obtained is dependent on the privileges the attacker has and to obtain sensitive data the attacker would require administrator privileges. Una vulnerabilidad de inyección SQL ciega en McAfee Enterprise ePolicy Orchestrator (ePO) versiones anteriores a la Actualización 5.10 13, permite a un atacante... • https://kc.mcafee.com/corporate/index?page=content&id=SB10379 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.4EPSS: 0%CPEs: 12EXPL: 0CVE-2021-31834 – McAfee ePO Cross-Site Scripting vulnerability
https://notcve.org/view.php?id=CVE-2021-31834
22 Oct 2021 — Stored Cross-Site Scripting vulnerability in McAfee ePolicy Orchestrator (ePO) prior to 5.10 Update 11 allows ePO administrators to inject arbitrary web script or HTML via multiple parameters where the administrator's entries were not correctly sanitized. Una vulnerabilidad de tipo Cross-Site Scripting almacenado en McAfee ePolicy Orchestrator (ePO) versiones anteriores a la Actualización 5.10 11, permite a administradores de ePO inyectar scripts web o HTML arbitrarios por medio de varios parámetros en los ... • https://kc.mcafee.com/corporate/index?page=content&id=SB10366 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 13EXPL: 0CVE-2021-31835 – McAfee ePO Cross-Site Scripting vulnerability
https://notcve.org/view.php?id=CVE-2021-31835
22 Oct 2021 — Cross-Site Scripting vulnerability in McAfee ePolicy Orchestrator (ePO) prior to 5.10 Update 11 allows ePO administrators to inject arbitrary web script or HTML via a specific parameter where the administrator's entries were not correctly sanitized. Una vulnerabilidad de tipo Cross-Site Scripting en McAfee ePolicy Orchestrator (ePO) versiones anteriores a la Actualización 5.10 11, permite a administradores de ePO inyectar scripts web o HTML arbitrarios por medio de un parámetro específico en el que las entr... • https://kc.mcafee.com/corporate/index?page=content&id=SB10366 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.4EPSS: 0%CPEs: 56EXPL: 0CVE-2021-3712 – Read buffer overruns processing ASN.1 strings
https://notcve.org/view.php?id=CVE-2021-3712
24 Aug 2021 — ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own "d2i" functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set... • http://www.openwall.com/lists/oss-security/2021/08/26/2 • CWE-125: Out-of-bounds Read •
CVSS: 4.3EPSS: 0%CPEs: 13EXPL: 0CVE-2021-2432 – JDK: unspecified vulnerability fixed in 7u311 (JNDI)
https://notcve.org/view.php?id=CVE-2021-2432
20 Jul 2021 — Vulnerability in the Java SE product of Oracle Java SE (component: JNDI). The supported version that is affected is Java SE: 7u301. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start ... • https://kc.mcafee.com/corporate/index?page=content&id=SB10366 •
CVSS: 5.3EPSS: 15%CPEs: 42EXPL: 0CVE-2021-33037 – Incorrect Transfer-Encoding handling with HTTP/1.0
https://notcve.org/view.php?id=CVE-2021-33037
12 Jul 2021 — Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding. ... • https://kc.mcafee.com/corporate/index?page=content&id=SB10366 • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 7.5EPSS: 2%CPEs: 17EXPL: 0CVE-2021-30639 – DoS after non-blocking IO error
https://notcve.org/view.php?id=CVE-2021-30639
12 Jul 2021 — A vulnerability in Apache Tomcat allows an attacker to remotely trigger a denial of service. An error introduced as part of a change to improve error handling during non-blocking I/O meant that the error flag associated with the Request object was not reset between requests. This meant that once a non-blocking I/O error occurred, all future requests handled by that request object would fail. Users were able to trigger non-blocking I/O errors, e.g. by dropping a connection, thereby creating the possibility o... • https://kc.mcafee.com/corporate/index?page=content&id=SB10366 • CWE-755: Improper Handling of Exceptional Conditions •
CVSS: 5.5EPSS: 0%CPEs: 17EXPL: 0CVE-2020-13938 – Improper Handling of Insufficient Privileges
https://notcve.org/view.php?id=CVE-2020-13938
10 Jun 2021 — Apache HTTP Server versions 2.4.0 to 2.4.46 Unprivileged local users can stop httpd on Windows Apache HTTP Server versiones 2.4.0 a 2.4.46 Los usuarios locales sin privilegios pueden detener httpd en Windows • http://httpd.apache.org/security/vulnerabilities_24.html • CWE-862: Missing Authorization •
CVSS: 5.9EPSS: 0%CPEs: 145EXPL: 0CVE-2021-2161 – OpenJDK: Incorrect handling of partially quoted arguments in ProcessBuilder on Windows (Libraries, 8250568)
https://notcve.org/view.php?id=CVE-2021-2161
22 Apr 2021 — Vulnerability in the Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u291, 8u281, 11.0.10, 16; Java SE Embedded: 8u281; Oracle GraalVM Enterprise Edition: 19.3.5, 20.3.1.2 and 21.0.0.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition. Successful attacks of this... • https://docs.azul.com/core/zulu-openjdk/release-notes/april-2021.html#fixed-common-vulnerabilities-and-exposures • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 6.5EPSS: 0%CPEs: 11EXPL: 0CVE-2021-23890 – McAfee ePO Information Leak vulnerability
https://notcve.org/view.php?id=CVE-2021-23890
26 Mar 2021 — Information leak vulnerability in the Agent Handler of McAfee ePolicy Orchestrator (ePO) prior to 5.10 Update 10 allows an unauthenticated user to download McAfee product packages (specifically McAfee Agent) available in ePO repository and install them on their own machines to have it managed and then in turn get policy details from the ePO server. This can only happen when the ePO Agent Handler is installed in a Demilitarized Zone (DMZ) to service machines not connected to the network through a VPN. Una vu... • https://kc.mcafee.com/corporate/index?page=content&id=SB10352 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •