CVE-2019-3599
published 2019-02-28CVE-2019-3599: Information Disclosure vulnerability in Remote logging (which is disabled by default) in McAfee Agent (MA) 5.x allows remote unauthenticated users to access…
PriorityP341high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
1.82%
76.1th percentile
Information Disclosure vulnerability in Remote logging (which is disabled by default) in McAfee Agent (MA) 5.x allows remote unauthenticated users to access sensitive information via remote logging when it is enabled.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fatfreecrm | fat_free_crm | 0 – 0.19.0 | — |
| mcafee | agent | — | — |
| mcafee | agent | 5.0.0 – 5.0.6 | — |
| mcafee | agent | 5.5.0 – 5.5.2 | — |
| mcafee_llc | mcafee_agent | >= 5.x < 5.6.0 HF1 | 5.6.0 HF1 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv3.06.5MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Withdrawn Advisory: Fat Free CRM Cross-site Scripting vulnerability
ghsa·2022-05-24
CVE-2019-10226 [MEDIUM] CWE-79 Withdrawn Advisory: Fat Free CRM Cross-site Scripting vulnerability
Withdrawn Advisory: Fat Free CRM Cross-site Scripting vulnerability
## Withdrawn
This advisory has been withdrawn because the CVE has been disputed and the underlying vulnerability is likely invalid. This link is maintained to preserve external references.
[According to maintainers of Fat Free CRM](https://github.com/github/advisory-database/pull/3599), the CRM comment feature allows certain HTML markup, but santizes the output when rendered to page. This allows safe tags (such as `` which the author tested and reported as a vulnerability) but correctly disallows `` tags and other dangerous entities.
## Original Description
HTML Injection has been discovered in the v0.19.0 version of the Fat Free CRM product via an authenticated request to the /comments URI.
GHSA
GHSA-gj5x-6xwx-4g9m: Information Disclosure vulnerability in Remote logging (which is disabled by default) in McAfee Agent (MA) 5
ghsa_unreviewed·2022-05-13
CVE-2019-3599 [HIGH] GHSA-gj5x-6xwx-4g9m: Information Disclosure vulnerability in Remote logging (which is disabled by default) in McAfee Agent (MA) 5
Information Disclosure vulnerability in Remote logging (which is disabled by default) in McAfee Agent (MA) 5.x allows remote unauthenticated users to access sensitive information via remote logging when it is enabled.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2019-02-28
Published