CVSS: 6.3EPSS: 0%CPEs: 11EXPL: 0CVE-2021-23888 – McAfee ePO unvalidated URL redirect vulnerability
https://notcve.org/view.php?id=CVE-2021-23888
26 Mar 2021 — Unvalidated client-side URL redirect vulnerability in McAfee ePolicy Orchestrator (ePO) prior to 5.10 Update 10 could cause an authenticated ePO user to load an untrusted site in an ePO iframe which could steal information from the authenticated user. Una vulnerabilidad de redireccionamiento de la URL del lado del cliente no comprobada en McAfee ePolicy Orchestrator (ePO) versiones anteriores a 5.10 Update 10, podría causar a un usuario de ePO autenticado cargar un sitio no confiable en un iframe de ePO que... • https://kc.mcafee.com/corporate/index?page=content&id=SB10352 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 4.8EPSS: 0%CPEs: 11EXPL: 0CVE-2021-23889 – McAfee ePO Cross-site Scripting vulnerability
https://notcve.org/view.php?id=CVE-2021-23889
26 Mar 2021 — Cross-Site Scripting vulnerability in McAfee ePolicy Orchestrator (ePO) prior to 5.10 Update 10 allows ePO administrators to inject arbitrary web script or HTML via multiple parameters where the administrator's entries were not correctly sanitized. Una vulnerabilidad de tipo Cross-Site Scripting en McAfee ePolicy Orchestrator (ePO) versiones anteriores a 5.10 Update 10, permite a administradores de ePO inyectar script web o HTML arbitrario por medio de múltiples parámetros donde las entradas del administrad... • https://kc.mcafee.com/corporate/index?page=content&id=SB10352 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 67EXPL: 1CVE-2021-23840 – Integer overflow in CipherUpdate
https://notcve.org/view.php?id=CVE-2021-23840
16 Feb 2021 — Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrad... • https://github.com/Trinadh465/openssl-1.1.1g_CVE-2021-23840 • CWE-190: Integer Overflow or Wraparound •
CVSS: 4.6EPSS: 0%CPEs: 2EXPL: 0CVE-2020-7317 – ePolicy Orchistrator (ePO) - Cross-Site Scripting vulnerability
https://notcve.org/view.php?id=CVE-2020-7317
14 Oct 2020 — Cross-Site Scripting vulnerability in McAfee ePolicy Orchistrator (ePO) prior to 5.10.9 Update 9 allows administrators to inject arbitrary web script or HTML via parameter values for "syncPointList" not being correctly sanitsed. Una vulnerabilidad de tipo Cross-Site Scripting en McAfee ePolicy Orchistrator (ePO) versiones anteriores a 5.10.9 Update 9, permite a administradores inyectar script web o HTML arbitrario por medio de valores de parámetros para "syncPointList" no ha sido saneado correctamente • https://kc.mcafee.com/corporate/index?page=content&id=SB10332 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 3%CPEs: 3EXPL: 0CVE-2017-3980
https://notcve.org/view.php?id=CVE-2017-3980
18 May 2017 — A directory traversal vulnerability in the ePO Extension in McAfee ePolicy Orchestrator (ePO) 5.9.0, 5.3.2, and 5.1.3 and earlier allows remote authenticated users to execute a command of their choice via an authenticated ePO session. Una vulnerabilidad de salto de directorio en la Extensión ePO en McAfee ePolicy Orchestrator (ePO) versiones 5.9.0, 5.3.2 y 5.1.3 y anteriores permite a los usuarios autenticados remotos ejecutar un comando de su elección por medio de una sesión de ePO autenticada. • http://www.securityfocus.com/bid/98559 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.3EPSS: 0%CPEs: 4EXPL: 0CVE-2015-8765
https://notcve.org/view.php?id=CVE-2015-8765
08 Jan 2016 — Intel McAfee ePolicy Orchestrator (ePO) 4.6.9 and earlier, 5.0.x, 5.1.x before 5.1.3 Hotfix 1106041, and 5.3.x before 5.3.1 Hotfix 1106041 allow remote attackers to execute arbitrary code via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library. Intel McAfee ePolicy Orchestrator (ePO) 4.6.9 y versiones anteriores, 5.0.x, 5.1.x en versiones anteriores a 5.1.3 Hotfix 1106041 y 5.3.x en versiones anteriores a 5.3.1 Hotfix 1106041 permiten a atacantes remotos ejecutar código... • https://kc.mcafee.com/corporate/index?page=content&id=SB10144 •
CVSS: 5.9EPSS: 0%CPEs: 22EXPL: 0CVE-2015-2859
https://notcve.org/view.php?id=CVE-2015-2859
23 Jun 2015 — Intel McAfee ePolicy Orchestrator (ePO) 4.x through 4.6.9 and 5.x through 5.1.2 does not validate server names and Certification Authority names in X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. Intel McAfee ePolicy Orchestrator (ePO) 4.x hasta 4.6.9 y 5.x hasta 5.1.2 no valida los nombres de servidores y los nombres de de autoridades certificadoras en los certificados X.509 de servidores SSL, lo que ... • http://www.kb.cert.org/vuls/id/264092 • CWE-310: Cryptographic Issues •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2015-4559
https://notcve.org/view.php?id=CVE-2015-4559
15 Jun 2015 — Cross-site scripting (XSS) vulnerability in the product deployment feature in the Java core web services in Intel McAfee ePolicy Orchestrator (ePO) before 5.1.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de XSS en la característica del despliegue de productos en los servicios web del núcleo de Java en Intel McAfee ePolicy Orchestrator (ePO) anterior a 5.1.2 permite a atacantes remotos inyectar secuencias de comandos web arbitrarios o HTML a través ... • http://www.securityfocus.com/bid/91539 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 58%CPEs: 5EXPL: 1CVE-2015-0921
https://notcve.org/view.php?id=CVE-2015-0921
09 Jan 2015 — XML external entity (XXE) vulnerability in the Server Task Log in McAfee ePolicy Orchestrator (ePO) before 4.6.9 and 5.x before 5.1.2 allows remote authenticated users to read arbitrary files via the conditionXML parameter to the taskLogTable to orionUpdateTableFilter.do. Vulnerabilidad de entidad externa XML (XXE) en el registro Server Task en McAfee ePolicy Orchestrator (ePO) anterior a 4.6.9 y 5.x anterior a 5.1.2 permite a usuarios remotos autenticados leer ficheros arbitrarios a través del parámetro co... • http://packetstormsecurity.com/files/129827/McAfee-ePolicy-Orchestrator-Authenticated-XXE-Credential-Exposure.html •
CVSS: 9.8EPSS: 45%CPEs: 5EXPL: 2CVE-2015-0922
https://notcve.org/view.php?id=CVE-2015-0922
09 Jan 2015 — McAfee ePolicy Orchestrator (ePO) before 4.6.9 and 5.x before 5.1.2 uses the same secret key across different customers' installations, which allows attackers to obtain the administrator password by leveraging knowledge of the encrypted password. McAfee ePolicy Orchestrator (ePO) anterior a 4.6.9 y 5.x anterior a 5.1.2 utiliza la misma clave en diferentes instalaciones para clientes, lo que permite a atacantes obtener la contraseña de administradores mediante el aprovechamiento del conocimiento de la contra... • http://packetstormsecurity.com/files/129827/McAfee-ePolicy-Orchestrator-Authenticated-XXE-Credential-Exposure.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •