CVE-2015-0921 — XML External Entity (XXE) Injection in Epolicy Orchestrator

5 documents4 sources

Severity

4.0MEDIUMNVD

EPSS

58.2%

top 1.80%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mcafee Epolicy Orchestrator

Timeline

PublishedJan 9

Latest updateMay 17

Description

XML external entity (XXE) vulnerability in the Server Task Log in McAfee ePolicy Orchestrator (ePO) before 4.6.9 and 5.x before 5.1.2 allows remote authenticated users to read arbitrary files via the conditionXML parameter to the taskLogTable to orionUpdateTableFilter.do.

CVSS vector

AV:N/AC:L/C:P/I:N/A:NExploitability: 8.0 | Impact: 2.9

Affected Packages1 packages

▶NVDmcafee/epolicy_orchestrator4.6.8+4

Patches

Patch: kc.mcafee.com ↗Patch: kc.mcafee.com ↗

🔴Vulnerability Details

GHSA

GHSA-9wr3-hxwc-qrxf: XML external entity (XXE) vulnerability in the Server Task Log in McAfee ePolicy Orchestrator (ePO) before 4↗2022-05-17

▶

CVEList

CVE-2015-0921: XML external entity (XXE) vulnerability in the Server Task Log in McAfee ePolicy Orchestrator (ePO) before 4↗2015-01-09

▶

💬Community

Bugzilla

CVE-2015-1250 chromium-browser: various unspecified flaws↗2015-04-29

▶

Bugzilla

CVE-2015-1243 chromium-browser: use-after-free in DOM↗2015-04-29

▶