McAfee Cloud Single Sign On < 4.0.1 Information Disclosure (SB10066) (Windows)

medium Nessus Plugin ID 73187

Synopsis

The remote host is affected by an information disclosure vulnerability.

Description

A version of McAfee Cloud Single Sign On (MCSSO) prior to 4.0.1 is installed on the remote host. It is, therefore, affected by an information disclosure vulnerability due to a failure to sanitize user-supplied input, resulting in potential directory traversal. An attacker could potentially exploit this vulnerability to download arbitrary files, including one containing a hash of the product administrator's password.

Solution

Upgrade to version 4.0.1 or later.

See Also

https://www.zerodayinitiative.com/advisories/ZDI-14-050/

https://kc.mcafee.com/corporate/index?page=content&id=SB10066

Plugin Details

Severity: Medium

ID: 73187

File Name: mcafee_csso_SB10066_windows.nasl

Version: 1.6

Type: local

Agent: windows

Family: Windows

Published: 3/25/2014

Updated: 11/26/2019

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.3

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.2

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2014-2536

Vulnerability Information

CPE: cpe:/a:mcafee:cloud_single_sign_on

Required KB Items: SMB/mcafee_csso/Path, SMB/mcafee_csso/Version

Exploit Ease: No known exploits are available

Patch Publication Date: 11/11/2013

Vulnerability Publication Date: 3/7/2014

Reference Information

CVE: CVE-2014-2536

BID: 66181

MCAFEE-SB: SB10066