CVSS: 5.4EPSS: 0%CPEs: 20EXPL: 0CVE-2023-5445
https://notcve.org/view.php?id=CVE-2023-5445
An open redirect vulnerability in ePolicy Orchestrator prior to 5.10.0 CP1 Update 2, allows a remote low privileged user to modify the URL parameter for the purpose of redirecting URL request(s) to a malicious site. This impacts the dashboard area of the user interface. A user would need to be logged into ePO to trigger this vulnerability. To exploit this the attacker must change the HTTP payload post submission, prior to it reaching the ePO server. Una vulnerabilidad de redireccionamiento abierto en ePolicy Orchestrator anterior a 5.10.0 CP1 Actualización 2 permite a un usuario remoto con pocos privilegios modificar el parámetro de URL con el fin de redirigir solicitudes de URL a un sitio malicioso. • https://kcm.trellix.com/corporate/index?page=content&id=SB10410 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 8.0EPSS: 0%CPEs: 20EXPL: 0CVE-2023-5444 – CSRF in ePO leading to privilege escalation
https://notcve.org/view.php?id=CVE-2023-5444
A Cross Site Request Forgery vulnerability in ePolicy Orchestrator prior to 5.10.0 CP1 Update 2 allows a remote low privilege user to successfully add a new user with administrator privileges to the ePO server. This impacts the dashboard area of the user interface. To exploit this the attacker must change the HTTP payload post submission, prior to it reaching the ePO server. Una vulnerabilidad de Cross Site Request Forgery en ePolicy Orchestrator anterior a 5.10.0 CP1 Actualización 2 permite a un usuario remoto con privilegios bajos agregar con éxito un nuevo usuario con privilegios de administrador al servidor de ePO. Esto afecta el área del tablero de la interfaz de usuario. • https://kcm.trellix.com/agent/index?page=content&id=SB10410 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 19EXPL: 0CVE-2023-3946
https://notcve.org/view.php?id=CVE-2023-3946
A reflected cross-site scripting (XSS) vulnerability in ePO prior to 5.10 SP1 Update 1allows a remote unauthenticated attacker to potentially obtain access to an ePO administrator's session by convincing the authenticated ePO administrator to click on a carefully crafted link. This would lead to limited access to sensitive information and limited ability to alter some information in ePO. • https://kcm.trellix.com/corporate/index?page=content&id=SB10402 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 15EXPL: 0CVE-2022-3339 – Reflected XSS in Trellix ePO server
https://notcve.org/view.php?id=CVE-2022-3339
A reflected cross-site scripting (XSS) vulnerability in ePO prior to 5.10 Update 14 allows a remote unauthenticated attacker to potentially obtain access to an ePO administrator's session by convincing the authenticated ePO administrator to click on a carefully crafted link. This would lead to limited access to sensitive information and limited ability to alter some information in ePO. Una vulnerabilidad de tipo cross-site scripting (XSS) reflejado en ePO versiones anteriores a la actualización 5.10 14, permite a un atacante remoto no autenticado obtener potencialmente acceso a la sesión de un administrador de ePO al convencer al administrador autenticado de ePO hacer clic en un enlace cuidadosamente diseñado. Esto conllevaría a un acceso limitado a información confidencial y una capacidad limitada para alterar determinada información en ePO • https://kcm.trellix.com/corporate/index?page=content&id=SB10387 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 15EXPL: 0CVE-2022-3338 – XXE in Trellix ePO server
https://notcve.org/view.php?id=CVE-2022-3338
An External XML entity (XXE) vulnerability in ePO prior to 5.10 Update 14 can lead to an unauthenticated remote attacker to potentially trigger a Server Side Request Forgery attack. This can be exploited by mimicking the Agent Handler call to ePO and passing the carefully constructed XML file through the API. Una vulnerabilidad de tipo External XML entity (XXE) en ePO versiones anteriores a la actualización 5.10 14, puede conllevar a que un atacante remoto no autenticado desencadene potencialmente un ataque de tipo Server Side Request Forgery. Esto puede ser explotado al imitar la llamada del Manejador de Agentes a ePO y pasando el archivo XML cuidadosamente construido mediante la API • https://kcm.trellix.com/corporate/index?page=content&id=SB10387 • CWE-611: Improper Restriction of XML External Entity Reference •