McAfee ePO DLPe Extension < 9.3.400 Multiple Vulnerabilities (SB10098)
Medium Nessus Plugin ID 81422
SynopsisThe remote host is affected by multiple vulnerabilities.
DescriptionThe remote McAfee ePO server has a vulnerable version of McAfee Data Loss Protection Endpoint (DLPe) extension installed that is affected by multiple vulnerabilities :
- An unspecified SQL injection vulnerability exists due to improper sanitization of user-supplied input. This allows an authenticated, remote attacker to inject or manipulate SQL queries, resulting in the disclosure of sensitive information. (CVE-2015-1616)
- An unspecified cross-site scripting vulnerability exists due to improper validation of user-supplied input. This allows an authenticated, remote attacker to execute arbitrary script code in a user's browser session.
- An information disclosure vulnerability exists due to access checks not being properly enforced. A remote, authenticated attacker can gain access to password information via a specially crafted URL.
SolutionInstall or update to DLPe 9.3 Patch 4 (9.3.400).