CVSS: 7.4EPSS: 0%CPEs: 56EXPL: 0CVE-2021-3450 – CA certificate check bypass with X509_V_FLAG_X509_STRICT
https://notcve.org/view.php?id=CVE-2021-3450
The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates. • http://www.openwall.com/lists/oss-security/2021/03/27/1 http://www.openwall.com/lists/oss-security/2021/03/27/2 http://www.openwall.com/lists/oss-security/2021/03/28/3 http://www.openwall.com/lists/oss-security/2021/03/28/4 https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=2a40b7bc7b94dd7de897a74571e7024f0cf0d63b https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44845 https://kc.mc • CWE-295: Improper Certificate Validation •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2020-7268 – McAfee Email Gateway (MEG) - Path Traversal vulnerability
https://notcve.org/view.php?id=CVE-2020-7268
Path Traversal vulnerability in McAfee McAfee Email Gateway (MEG) prior to 7.6.406 allows remote attackers to traverse the file system to access files or directories that are outside of the restricted directory via external input to construct a path name that should be within a restricted directory. Una vulnerabilidad de Salto de Directorio en McAfee Email Gateway (MEG) versiones anteriores a 7.6.406, permite a atacantes remotos saltar el sistema de archivos para acceder a archivos o directorios que están fuera del directorio restringido por medio de una entrada externa para construir un nombre de ruta que debe estar dentro de un directorio • https://kc.mcafee.com/corporate/index?page=content&id=SB10323 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2016-8005
https://notcve.org/view.php?id=CVE-2016-8005
File extension filtering vulnerability in Intel Security McAfee Email Gateway (MEG) before 7.6.404h1128596 allows attackers to fail to identify the file name properly via scanning an email with a forged attached filename that uses a null byte within the filename extension. Vulnerabilidad de filtrado de extensión de archivo en Intel Security McAfee Email Gateway (MEG) en versiones anteriores a 7.6.404h1128596 permite a atacantes no identificar el nombre de archivo correctamente a través del escaneo de un correo electrónico con un nombre de archivo adjunto forjado que utiliza un byte nulo dentro de la extensión del nombre de archivo. • https://kc.mcafee.com/corporate/index?page=content&id=SB10161 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.1EPSS: 0%CPEs: 5EXPL: 0CVE-2016-3969
https://notcve.org/view.php?id=CVE-2016-3969
Cross-site scripting (XSS) vulnerability in McAfee Email Gateway (MEG) 7.6.x before 7.6.404, when File Filtering is enabled with the action set to ESERVICES:REPLACE, allows remote attackers to inject arbitrary web script or HTML via an attachment in a blocked email. Vulnerabilidad de XSS en McAfee Email Gateway (MEG) 7.6.x en versiones anteriores a 7.6.404, cuando File Filtering está habilitado con la acción establecida a ESERVICES:REPLACE, permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de un archivo adjunto en un correo electrónico bloqueado. • http://www.securitytracker.com/id/1035470 https://kc.mcafee.com/corporate/index?page=content&id=SB10153 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 3.5EPSS: 0%CPEs: 17EXPL: 0CVE-2015-1619
https://notcve.org/view.php?id=CVE-2015-1619
Cross-site scripting (XSS) vulnerability in the Secure Web Mail Client user interface in McAfee Email Gateway (MEG) 7.6.x before 7.6.3.2, 7.5.x before 75.6, 7.0.x through 7.0.5, 5.6, and earlier allows remote authenticated users to inject arbitrary web script or HTML via unspecified tokens in Digest messages. Vulnerabilidad de XSS en la interfaz del usuarios de Secure Web Mail Client en McAfee Email Gateway (MEG) 7.6.x anterior a 7.6.3.2, 7.5.x anterior a 75.6, 7.0.x hasta 7.0.5, 5.6, y anteriores permite a usuarios remotos autenticados inyectar secuencias de comandos web arbitrarios o HTML a través de tokens no especificados en los mensajes Digest. • https://kc.mcafee.com/corporate/index?page=content&id=SB10099 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •