CVSS: 4.3EPSS: 1%CPEs: 9EXPL: 1CVE-2013-4883 – McAfee ePO 4.6.6 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2013-4883
Multiple cross-site scripting (XSS) vulnerabilities in McAfee ePolicy Orchestrator 4.6.6 and earlier, and the ePO Extension for the McAfee Agent (MA) 4.5 through 4.6, allow remote attackers to inject arbitrary web script or HTML via the (1) instanceId parameter core/loadDisplayType.do; (2) instanceId or (3) monitorUrl parameter to console/createDashboardContainer.do; uid parameter to (4) ComputerMgmt/sysDetPanelBoolPie.do or (5) ComputerMgmt/sysDetPanelSummary.do; (6) uid, (7) orion.user.security.token, or (8) ajaxMode parameter to ComputerMgmt/sysDetPanelQry.do; or (9) uid, (10) orion.user.security.token, or (11) ajaxMode parameter to ComputerMgmt/sysDetPanelSummary.do. Múltiples vulnerabilidades XSS en McAfee ePolicy Orchestrator 4.6.6 y anteriores, y el ePO Extension para McAfee Agent (MA) 4.5 a la 4.6, permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarias a través del parámetro (1) instanceId a core/loadDisplayType.do; del parámetro (2) instanceId o (3) monitorUrl a console/createDashboardContainer.do; del parámetro uid a (4) ComputerMgmt/sysDetPanelBoolPie.do o (5) ComputerMgmt/sysDetPanelSummary.do; (6) uid, (7) orion.user.security.token, o del parámetro(8) ajaxMode a ComputerMgmt/sysDetPanelQry.do; o (9) uid, (10) orion.user.security.token, o del parámetro (11) ajaxMode a ComputerMgmt/sysDetPanelSummary.do. • https://www.exploit-db.com/exploits/26807 http://osvdb.org/95187 http://osvdb.org/95188 http://osvdb.org/95189 http://osvdb.org/95190 http://osvdb.org/95191 http://www.securityfocus.com/archive/1/527228 http://www.securitytracker.com/id/1028803 https://kc.mcafee.com/corporate/index?page=content&id=KB78824 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 85%CPEs: 9EXPL: 3CVE-2008-1357 – McAfee Framework ePolicy 3.x - Orchestrator '_naimcomn_Log' Remote Format String
https://notcve.org/view.php?id=CVE-2008-1357
Format string vulnerability in the logDetail function of applib.dll in McAfee Common Management Agent (CMA) 3.6.0.574 (Patch 3) and earlier, as used in ePolicy Orchestrator 4.0.0 build 1015, allows remote attackers to cause a denial of service (crash) or execute arbitrary code via format string specifiers in a sender field in an AgentWakeup request to UDP port 8082. NOTE: this issue only exists when the debug level is 8. Vulnerabilidad en el formato de cadena en la función logDetail de applib.dlld en McAfee Common Management Agent (CMA) 3.6.0.574 (Parche 3) y anteriores, como se utiliza en ePolicy Orchestrator 4.0.0 build 1015, permite a atacantes remotos provocar una denegación de servicio (caída) o ejecutar código de su elección a través de formatos de especificadores de formatos de cadena en un fichero de envío en una solicitud AgentWakeup en el puerto 8082. NOTA: esta vulnerabilidad sólo sucede cuando se está en un nivel 8 de depuración. • https://www.exploit-db.com/exploits/31399 http://aluigi.altervista.org/adv/meccaffi-adv.txt http://secunia.com/advisories/29337 http://securityreason.com/securityalert/3748 http://www.securityfocus.com/archive/1/489476/100/0/threaded http://www.securityfocus.com/bid/28228 http://www.securitytracker.com/id?1019609 http://www.vupen.com/english/advisories/2008/0866/references https://exchange.xforce.ibmcloud.com/vulnerabilities/41178 https://knowledge.mcafee.com/article/234/615103_f.sal& • CWE-134: Use of Externally-Controlled Format String •
CVSS: 7.6EPSS: 3%CPEs: 6EXPL: 0CVE-2006-5274
https://notcve.org/view.php?id=CVE-2006-5274
Integer overflow in McAfee ePolicy Orchestrator 3.5 through 3.6.1, ProtectionPilot 1.1.1 and 1.5, and Common Management Agent (CMA) 3.5.5.438 allows remote attackers to cause a denial of service (CMA Framework service crash) and possibly execute arbitrary code via unspecified vectors. Desbordamiento de entero en McAfee ePolicy Orchestrator 3.5 hasta 3.6.1, ProtectionPilot 1.1.1 y 1.5, y Common Management Agent (CMA) 3.5.5.438 permite a atacantes remotos provocar una denegación de servicio (caída del servicio CMA Framework) y posiblemente ejecutar código de su elección mediante vectores no especificados. • http://secunia.com/advisories/26029 http://www.iss.net/threats/269.html http://www.osvdb.org/36101 http://www.securityfocus.com/bid/24863 http://www.securitytracker.com/id?1018363 http://www.vupen.com/english/advisories/2007/2498 https://exchange.xforce.ibmcloud.com/vulnerabilities/31165 https://knowledge.mcafee.com/article/764/613367_f.SAL_Public.html •
CVSS: 5.0EPSS: 9%CPEs: 1EXPL: 1CVE-2006-3623
https://notcve.org/view.php?id=CVE-2006-3623
Directory traversal vulnerability in Framework Service component in McAfee ePolicy Orchestrator agent 3.5.0.x and earlier allows remote attackers to create arbitrary files via a .. (dot dot) in the directory and filename in a PropsResponse (PackageType) request. Vulnerabilidad de salto de directorio en el componente Framework Service en McAfee ePolicy Orchestrator agent 3.5.0.x y anteriores permite a atacantes remotos crear archivos de su elección a través de una secuencia .. (punto punto) en el directorio y nombre de archivo en una respuesta PropsResponse (PackageType). • http://secunia.com/advisories/21037 http://securitytracker.com/id?1016501 http://www.eeye.com/html/research/advisories/AD20060713.html http://www.osvdb.org/27158 http://www.securityfocus.com/archive/1/440077/100/0/threaded http://www.securityfocus.com/bid/18979 http://www.vupen.com/english/advisories/2006/2796 https://exchange.xforce.ibmcloud.com/vulnerabilities/27738 •