CVE-2021-31852 — Cross-site Scripting in LLC Mcafee Policy Auditor

CWE-79 — Cross-site Scripting3 documents3 sources

Severity

6.1MEDIUMNVD

EPSS

0.9%

top 24.11%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mcafee LLC Mcafee Policy Auditor Mcafee Policy Auditor

Timeline

PublishedNov 23

Latest updateNov 24

Description

A Reflected Cross-Site Scripting vulnerability in McAfee Policy Auditor prior to 6.5.2 allows a remote unauthenticated attacker to inject arbitrary web script or HTML via the UID request parameter. The malicious script is reflected unmodified into the Policy Auditor web-based interface which could lead to the extract of end user session token or login credentials. These may be used to access additional security-critical applications or conduct arbitrary cross-domain requests.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶NVDmcafee/policy_auditor< 6.5.2

▶CVEListV5mcafee_llc/mcafee_policy_auditorunspecified — 6.5.2

🔴Vulnerability Details

GHSA

GHSA-c6xr-2587-83ff: A Reflected Cross-Site Scripting vulnerability in McAfee Policy Auditor prior to 6↗2021-11-24

▶

CVEList

Cross-Site Scripting vulnerability in Policy Auditor↗2021-11-23

▶