CVE-2015-8765
https://notcve.org/view.php?id=CVE-2015-8765
Intel McAfee ePolicy Orchestrator (ePO) 4.6.9 and earlier, 5.0.x, 5.1.x before 5.1.3 Hotfix 1106041, and 5.3.x before 5.3.1 Hotfix 1106041 allow remote attackers to execute arbitrary code via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library. Intel McAfee ePolicy Orchestrator (ePO) 4.6.9 y versiones anteriores, 5.0.x, 5.1.x en versiones anteriores a 5.1.3 Hotfix 1106041 y 5.3.x en versiones anteriores a 5.3.1 Hotfix 1106041 permiten a atacantes remotos ejecutar código arbitrario a través de un objeto de Java serializado manipulado, relacionado con la librería Apache Commons Collections (ACC). • https://kc.mcafee.com/corporate/index?page=content&id=SB10144 https://www.kb.cert.org/vuls/id/576313 •
CVE-2015-2859
https://notcve.org/view.php?id=CVE-2015-2859
Intel McAfee ePolicy Orchestrator (ePO) 4.x through 4.6.9 and 5.x through 5.1.2 does not validate server names and Certification Authority names in X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. Intel McAfee ePolicy Orchestrator (ePO) 4.x hasta 4.6.9 y 5.x hasta 5.1.2 no valida los nombres de servidores y los nombres de de autoridades certificadoras en los certificados X.509 de servidores SSL, lo que permite a atacantes man-in-the-middle falsificar servidores y obtener información sensible a través de un certificado manipulado. • http://www.kb.cert.org/vuls/id/264092 http://www.securityfocus.com/bid/75020 http://www.securitytracker.com/id/1032571 https://kc.mcafee.com/corporate/index?page=content&id=KB84628 https://kc.mcafee.com/corporate/index?page=content&id=SB10120 • CWE-310: Cryptographic Issues •
CVE-2015-4559
https://notcve.org/view.php?id=CVE-2015-4559
Cross-site scripting (XSS) vulnerability in the product deployment feature in the Java core web services in Intel McAfee ePolicy Orchestrator (ePO) before 5.1.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de XSS en la característica del despliegue de productos en los servicios web del núcleo de Java en Intel McAfee ePolicy Orchestrator (ePO) anterior a 5.1.2 permite a atacantes remotos inyectar secuencias de comandos web arbitrarios o HTML a través de vectores no especificados. • http://www.securityfocus.com/bid/91539 http://www.securitytracker.com/id/1032671 https://kc.mcafee.com/corporate/index?page=content&id=SB10121 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2015-0921
https://notcve.org/view.php?id=CVE-2015-0921
XML external entity (XXE) vulnerability in the Server Task Log in McAfee ePolicy Orchestrator (ePO) before 4.6.9 and 5.x before 5.1.2 allows remote authenticated users to read arbitrary files via the conditionXML parameter to the taskLogTable to orionUpdateTableFilter.do. Vulnerabilidad de entidad externa XML (XXE) en el registro Server Task en McAfee ePolicy Orchestrator (ePO) anterior a 4.6.9 y 5.x anterior a 5.1.2 permite a usuarios remotos autenticados leer ficheros arbitrarios a través del parámetro conditionXML en taskLogTable en orionUpdateTableFilter.do. • http://packetstormsecurity.com/files/129827/McAfee-ePolicy-Orchestrator-Authenticated-XXE-Credential-Exposure.html http://seclists.org/fulldisclosure/2015/Jan/37 http://seclists.org/fulldisclosure/2015/Jan/8 http://secunia.com/advisories/61922 http://www.securitytracker.com/id/1031519 https://exchange.xforce.ibmcloud.com/vulnerabilities/99950 https://gist.github.com/brandonprry/692e553975bf29aeaf2c https://kc.mcafee.com/corporate/index?page=content&id=SB10095 https://seclists.org/fulldisclosure/2015/Jan/8 •
CVE-2015-0922
https://notcve.org/view.php?id=CVE-2015-0922
McAfee ePolicy Orchestrator (ePO) before 4.6.9 and 5.x before 5.1.2 uses the same secret key across different customers' installations, which allows attackers to obtain the administrator password by leveraging knowledge of the encrypted password. McAfee ePolicy Orchestrator (ePO) anterior a 4.6.9 y 5.x anterior a 5.1.2 utiliza la misma clave en diferentes instalaciones para clientes, lo que permite a atacantes obtener la contraseña de administradores mediante el aprovechamiento del conocimiento de la contraseña cifrada. • http://packetstormsecurity.com/files/129827/McAfee-ePolicy-Orchestrator-Authenticated-XXE-Credential-Exposure.html http://seclists.org/fulldisclosure/2015/Jan/37 http://seclists.org/fulldisclosure/2015/Jan/8 http://www.securityfocus.com/bid/72298 http://www.securitytracker.com/id/1031519 https://exchange.xforce.ibmcloud.com/vulnerabilities/99949 https://gist.github.com/brandonprry/692e553975bf29aeaf2c https://kc.mcafee.com/corporate/index?page=content&id=SB10095 https://seclists.org/fulldisclosure/2015/Jan/8 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •