McAfee ePolicy Orchestrator < 4.6.7 HF940148 XML Entity Injection (SB10065)

medium Nessus Plugin ID 72729

Synopsis

The remote host is affected by an XML entity injection vulnerability.

Description

The remote Windows host is running a version of McAfee ePolicy Orchestrator (ePO) prior to 4.6.7 hotfix 940148. It is, therefore, affected by an XML entity injection vulnerability due to a failure to properly sanitize user-supplied input. An authenticated, remote attacker with permission to add new dashboards can exploit this vulnerability to access arbitrary server side system files.

Solution

Upgrade to McAfee ePO version 4.6.7 hotfix 940148 or later.

See Also

http://www.nessus.org/u?c8b4a72e

https://kc.mcafee.com/corporate/index?page=content&id=SB10065

Plugin Details

Severity: Medium

ID: 72729

File Name: mcafee_epo_sb10065.nasl

Version: 1.10

Type: local

Agent: windows

Family: Windows

Published: 2/27/2014

Updated: 7/16/2018

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

CVSS v2

Risk Factor: Medium

Base Score: 6.3

Temporal Score: 4.7

Vector: CVSS2#AV:N/AC:M/Au:S/C:C/I:N/A:N

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:mcafee:epolicy_orchestrator

Required KB Items: SMB/mcafee_epo/Path, SMB/mcafee_epo/ver

Exploit Ease: No known exploits are available

Patch Publication Date: 2/24/2014

Vulnerability Publication Date: 2/24/2014

Reference Information

CVE: CVE-2014-2205

BID: 65771

MCAFEE-SB: SB10065