CVE-2022-0857 — Cross-site Scripting in LLC Mcafee Epolicy Orchestrator

CWE-79 — Cross-site Scripting3 documents3 sources

Severity

6.1MEDIUMNVD

CNA5.4

EPSS

0.2%

top 57.23%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mcafee LLC Mcafee Epolicy Orchestrator Mcafee Epolicy Orchestrator

Timeline

PublishedMar 23

Latest updateMar 24

Description

A reflected cross-site scripting (XSS) vulnerability in McAfee Enterprise ePolicy Orchestrator (ePO) prior to 5.10 Update 13 allows a remote attacker to potentially obtain access to an ePO administrator's session by convincing the attacker to click on a carefully crafted link. This would lead to limited access to sensitive information and limited ability to alter some information in ePO due to the area of the User Interface the vulnerability is present in.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶NVDmcafee/epolicy_orchestrator< 5.10.0+1

▶CVEListV5mcafee_llc/mcafee_epolicy_orchestratorunspecified — 5.10 CU 13

🔴Vulnerability Details

GHSA

GHSA-qpvw-vv3x-9vf4: A reflected cross-site scripting (XSS) vulnerability in McAfee Enterprise ePolicy Orchestrator (ePO) prior to 5↗2022-03-24

▶

CVEList

ePO Reflected Cross-site scripting vulnerability↗2022-03-23

▶