CVE-2022-3339

CWE-79 — Cross-site Scripting (XSS)3 documents3 sources

Severity

6.1MEDIUM

EPSS

0.6%

top 29.34%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Trellix Trellix Epolicy Orchestrator (epo)Mcafee Epolicy Orchestrator

Timeline

PublishedOct 18

Description

A reflected cross-site scripting (XSS) vulnerability in ePO prior to 5.10 Update 14 allows a remote unauthenticated attacker to potentially obtain access to an ePO administrator's session by convincing the authenticated ePO administrator to click on a carefully crafted link. This would lead to limited access to sensitive information and limited ability to alter some information in ePO.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.5

Affected Packages2 packages

▶NVDmcafee/epolicy_orchestrator< 5.10.0+1

▶CVEListV5trellix/trellix_epolicy_orchestrator_(epo)unspecified — 5.10 Update 14

🔴Vulnerability Details

CVEList

Reflected XSS in Trellix ePO server↗2022-10-18

▶

GHSA

GHSA-p364-wcw9-g7q4: A reflected cross-site scripting (XSS) vulnerability in ePO prior to 5↗2022-10-18

▶