McAfee ePolicy Orchestrator 5.1.x < 5.1.3 HF1167014 / 5.3.x < 5.3.1 HF1179709 / 5.3.x < 5.3.2 HF1167013 Blind SQL Injection (SB10187)
High Nessus Plugin ID 97352
SynopsisThe remote Windows host is affected by a blind SQL injection vulnerability.
DescriptionThe remote Windows host is running a version of McAfee ePolicy Orchestrator 5.1.x prior to 5.1.3 hotfix 1167014, 5.3.x prior to 5.3.1 hotfix 1179709, or 5.3.x prior to 5.3.2 hotfix 1167013. It is, therefore, affected by a blind SQL injection vulnerability in the ePolicy Orchestrator (ePO) Core Services component due to a failure to properly sanitize user-supplied input to unspecified parameters. An unauthenticated, remote attacker can exploit this vulnerability, via a specially crafted HTTP POST request, to inject or manipulate SQL queries, resulting in the disclosure or manipulation of arbitrary data.
SolutionUpgrade to McAfee ePO version 5.1.3 hotfix 1167014 / 5.3.1 hotfix 1179709 / 5.3.2 hotfix 1167013 or later.