CVSS: 5.4EPSS: 0%CPEs: 14EXPL: 0CVE-2022-0842 – ePO blind SQL Injection vulnerability
https://notcve.org/view.php?id=CVE-2022-0842
A blind SQL injection vulnerability in McAfee Enterprise ePolicy Orchestrator (ePO) prior to 5.10 Update 13 allows a remote authenticated attacker to potentially obtain information from the ePO database. The data obtained is dependent on the privileges the attacker has and to obtain sensitive data the attacker would require administrator privileges. Una vulnerabilidad de inyección SQL ciega en McAfee Enterprise ePolicy Orchestrator (ePO) versiones anteriores a la Actualización 5.10 13, permite a un atacante remoto autenticado obtener potencialmente información de la base de datos de ePO. Los datos obtenidos dependen de los privilegios que tenga el atacante y para obtener datos confidenciales el atacante requeriría privilegios de administrador • https://kc.mcafee.com/corporate/index?page=content&id=SB10379 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.4EPSS: 0%CPEs: 12EXPL: 0CVE-2021-31834 – McAfee ePO Cross-Site Scripting vulnerability
https://notcve.org/view.php?id=CVE-2021-31834
Stored Cross-Site Scripting vulnerability in McAfee ePolicy Orchestrator (ePO) prior to 5.10 Update 11 allows ePO administrators to inject arbitrary web script or HTML via multiple parameters where the administrator's entries were not correctly sanitized. Una vulnerabilidad de tipo Cross-Site Scripting almacenado en McAfee ePolicy Orchestrator (ePO) versiones anteriores a la Actualización 5.10 11, permite a administradores de ePO inyectar scripts web o HTML arbitrarios por medio de varios parámetros en los que las entradas del administrador no se han saneado correctamente • https://kc.mcafee.com/corporate/index?page=content&id=SB10366 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 13EXPL: 0CVE-2021-31835 – McAfee ePO Cross-Site Scripting vulnerability
https://notcve.org/view.php?id=CVE-2021-31835
Cross-Site Scripting vulnerability in McAfee ePolicy Orchestrator (ePO) prior to 5.10 Update 11 allows ePO administrators to inject arbitrary web script or HTML via a specific parameter where the administrator's entries were not correctly sanitized. Una vulnerabilidad de tipo Cross-Site Scripting en McAfee ePolicy Orchestrator (ePO) versiones anteriores a la Actualización 5.10 11, permite a administradores de ePO inyectar scripts web o HTML arbitrarios por medio de un parámetro específico en el que las entradas del administrador no se han saneado correctamente • https://kc.mcafee.com/corporate/index?page=content&id=SB10366 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.4EPSS: 0%CPEs: 56EXPL: 0CVE-2021-3712 – Read buffer overruns processing ASN.1 strings
https://notcve.org/view.php?id=CVE-2021-3712
ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own "d2i" functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the "data" and "length" fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. • http://www.openwall.com/lists/oss-security/2021/08/26/2 https://cert-portal.siemens.com/productcert/pdf/ssa-244969.pdf https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=94d23fcff9b2a7a8368dfe52214d5c2569882c11 https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=ccb0a11145ee72b042d10593a64eaf9e8a55ec12 https://kc.mcafee.com/corporate/index?page=content&id=SB10366 https://lists.apache.org/thread.html/r18995de860f0e63635f3008f • CWE-125: Out-of-bounds Read •
CVSS: 4.3EPSS: 0%CPEs: 13EXPL: 0CVE-2021-2432 – JDK: unspecified vulnerability fixed in 7u311 (JNDI)
https://notcve.org/view.php?id=CVE-2021-2432
Vulnerability in the Java SE product of Oracle Java SE (component: JNDI). The supported version that is affected is Java SE: 7u301. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. • https://kc.mcafee.com/corporate/index?page=content&id=SB10366 https://security.gentoo.org/glsa/202209-05 https://security.netapp.com/advisory/ntap-20210723-0002 https://www.oracle.com/security-alerts/cpujul2021.html https://www.oracle.com/security-alerts/cpuoct2021.html https://access.redhat.com/security/cve/CVE-2021-2432 https://bugzilla.redhat.com/show_bug.cgi?id=1994980 •