Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2013-4882 — SQL Injection in Epolicy Orchestrator

CWE-89 — SQL Injection4 documents4 sources

Severity

6.5MEDIUMNVD

CNA7.9

EPSS

1.1%

top 21.95%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Mcafee Epolicy Orchestrator Mcafee Epolicy Orchestrator Agent

Timeline

PublishedJul 22

Latest updateMay 17

Description

Multiple SQL injection vulnerabilities in McAfee ePolicy Orchestrator 4.6.6 and earlier, and the ePolicy Orchestrator (ePO) extension for McAfee Agent (MA) 4.5 and 4.6, allow remote authenticated users to execute arbitrary SQL commands via the uid parameter to (1) core/showRegisteredTypeDetails.do and (2) EPOAGENTMETA/DisplayMSAPropsDetail.do, a different vulnerability than CVE-2013-0140.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 8.0 | Impact: 6.4

Affected Packages2 packages

▶NVDmcafee/epolicy_orchestrator_agent4.5, 4.6+1

▶NVDmcafee/epolicy_orchestrator4.6.6+6

🔴Vulnerability Details

GHSA

GHSA-r8g4-4j5g-w475: Multiple SQL injection vulnerabilities in McAfee ePolicy Orchestrator 4↗2022-05-17

▶

CVEList

CVE-2013-4882: Multiple SQL injection vulnerabilities in McAfee ePolicy Orchestrator 4↗2013-07-21

▶

💥Exploits & PoCs

Exploit-DB

McAfee ePO 4.6.6 - Multiple Vulnerabilities↗2013-07-13

▶