CVE-2023-3946

A reflected cross-site scripting (XSS) vulnerability in ePO prior to 5.10 SP1 Update 1allows a remote unauthenticated attacker to potentially obtain access to an ePO administrator's session by convincing the authenticated ePO administrator to click on a carefully crafted link. This would lead to limited access to sensitive information and limited ability to alter some information in ePO.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://kcm.trellix.com/corporate/index?page=content&id=SB10402	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:mcafee:epolicy_orchestrator::::::::
	cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:-::::::
	cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_1::::::
	cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_10::::::
	cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_11::::::
	cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_11_hotfix_1::::::
	cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_11_hotfix_2::::::
	cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_12::::::
	cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_13::::::
	cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_14::::::
	cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_15::::::
	cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_2::::::
	cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_3::::::
	cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_4::::::
	cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_5::::::
	cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_6::::::
	cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_7::::::
	cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_8::::::
	cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_9::::::

History

03 Aug 2023, 17:18

Type	Values Removed	Values Added
First Time		Mcafee Mcafee epolicy Orchestrator
References	~~(MISC) https://kcm.trellix.com/corporate/index?page=content&id=SB10402 -~~	(MISC) https://kcm.trellix.com/corporate/index?page=content&id=SB10402 - Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.1
CWE		CWE-79
CPE		cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_5:::::: cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_14:::::: cpe:2.3:a:mcafee:epolicy_orchestrator:::::::: cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_1:::::: cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_10:::::: cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_11_hotfix_2:::::: cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_2:::::: cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_11_hotfix_1:::::: cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_8:::::: cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_13:::::: cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_12:::::: cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_9:::::: cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:-:::::: cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_15:::::: cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_11:::::: cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_3:::::: cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_4:::::: cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_6:::::: cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_7::::::

26 Jul 2023, 06:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-07-26 06:15

Updated : 2024-02-28 20:33

NVD link : CVE-2023-3946

Mitre link : CVE-2023-3946

CVE.ORG link : CVE-2023-3946

JSON object : View

Products Affected

mcafee

epolicy_orchestrator

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

6.1 /10