Mcafee Epolicy Orchestrator vulnerabilities
85 known vulnerabilities affecting mcafee/epolicy_orchestrator.
Total CVEs
85
CISA KEV
0
Public exploits
13
Exploited in wild
0
Severity breakdown
CRITICAL5HIGH16MEDIUM46LOW18
Vulnerabilities
Page 2 of 5
CVE-2019-2602P3HIGHCVSS 7.5v5.9.0v5.9.1+1 more2019-04-23
CVE-2019-2602 [HIGH] CWE-400 CVE-2019-2602: Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Libraries)
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are Java SE: 7u211, 8u202, 11.0.2 and 12; Java SE Embedded: 8u201. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded.
nvd
CVE-2007-1498P3CRITICALCVSS 9.3v3.5.0v3.6.0+1 more2007-03-16
CVE-2007-1498 [CRITICAL] CVE-2007-1498: Multiple stack-based buffer overflows in the SiteManager.SiteMgr.1 ActiveX control (SiteManager.dll)
Multiple stack-based buffer overflows in the SiteManager.SiteMgr.1 ActiveX control (SiteManager.dll) in the ePO management console in McAfee ePolicy Orchestrator (ePO) before 3.6.1 Patch 1 and ProtectionPilot (PRP) before 1.5.0 HotFix allow remote attackers to execute arbitrary code via a long argument to the (1) ExportSiteList and (2) VerifyPackageCatalog
nvd
CVE-2002-0690P3CRITICALCVSS 10.0v2.5.12003-04-11
CVE-2002-0690 [CRITICAL] CVE-2002-0690: Format string vulnerability in McAfee Security ePolicy Orchestrator (ePO) 2.5.1 allows remote attack
Format string vulnerability in McAfee Security ePolicy Orchestrator (ePO) 2.5.1 allows remote attackers to execute arbitrary code via an HTTP GET request with a URI containing format strings.
nvd
CVE-2017-3980P3HIGHCVSS 7.2≤ 5.1.3≥ 5.3.0, ≤ 5.3.3+4 more2017-05-18
CVE-2017-3980 [HIGH] CWE-22 CVE-2017-3980: A directory traversal vulnerability in the ePO Extension in McAfee ePolicy Orchestrator (ePO) 5.9.0,
A directory traversal vulnerability in the ePO Extension in McAfee ePolicy Orchestrator (ePO) 5.9.0, 5.3.2, and 5.1.3 and earlier allows remote authenticated users to execute a command of their choice via an authenticated ePO session.
nvd
CVE-2023-5444P3HIGHCVSS 8.0fixed in 5.10.0v5.10.02023-11-17
CVE-2023-5444 [HIGH] CWE-352 CVE-2023-5444: A Cross Site Request Forgery vulnerability in ePolicy Orchestrator prior to 5.10.0 CP1 Update 2 all
A Cross Site Request Forgery vulnerability in ePolicy Orchestrator prior to 5.10.0 CP1 Update 2 allows a remote low privilege user to successfully add a new user with administrator privileges to the ePO server. This impacts the dashboard area of the user interface. To exploit this the attacker must change the HTTP payload post submission, prior to it rea
nvd
CVE-2020-7318P4MEDIUMCVSS 4.3PoC≥ 5.10.0, ≤ 5.10.92020-10-14
CVE-2020-7318 [MEDIUM] CWE-79 CVE-2020-7318: Cross-Site Scripting vulnerability in McAfee ePolicy Orchestrator (ePO) prior to 5.10.9 Update 9 all
Cross-Site Scripting vulnerability in McAfee ePolicy Orchestrator (ePO) prior to 5.10.9 Update 9 allows administrators to inject arbitrary web script or HTML via multiple parameters where the administrator's entries were not correctly sanitized.
nvd
CVE-2019-2949P3MEDIUMCVSS 6.8v5.9.0v5.9.1+1 more2019-10-16
CVE-2019-2949 [MEDIUM] CVE-2019-2949: Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Kerberos). Supp
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Kerberos). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via Kerberos to compromise Java SE, Java SE Embedded. While the vulnerabil
nvd
CVE-2004-0038P3HIGHCVSS 7.5v2.5v2.5.1+1 more2004-06-14
CVE-2004-0038 [HIGH] CVE-2004-0038: McAfee ePolicy Orchestrator (ePO) 2.5.1 Patch 13 and 3.0 SP2a Patch 3 allows remote attackers to exe
McAfee ePolicy Orchestrator (ePO) 2.5.1 Patch 13 and 3.0 SP2a Patch 3 allows remote attackers to execute arbitrary commands via certain HTTP POST requests to the spipe/file handler on ePO TCP port 81.
nvd
CVE-2021-23890P3MEDIUMCVSS 6.5fixed in 5.9.1v5.10.02021-03-26
CVE-2021-23890 [MEDIUM] CWE-200 CVE-2021-23890: Information leak vulnerability in the Agent Handler of McAfee ePolicy Orchestrator (ePO) prior to 5.
Information leak vulnerability in the Agent Handler of McAfee ePolicy Orchestrator (ePO) prior to 5.10 Update 10 allows an unauthenticated user to download McAfee product packages (specifically McAfee Agent) available in ePO repository and install them on their own machines to have it managed and then in turn get policy details from the ePO server.
nvd
CVE-2021-2161P3MEDIUMCVSS 5.9fixed in 5.10.0v5.10.02021-04-22
CVE-2021-2161 [MEDIUM] CVE-2021-2161: Vulnerability in the Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition product of Oracle
Vulnerability in the Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u291, 8u281, 11.0.10, 16; Java SE Embedded: 8u281; Oracle GraalVM Enterprise Edition: 19.3.5, 20.3.1.2 and 21.0.0.2. Difficult to exploit vulnerability allows unauthenticated atta
nvd
CVE-2003-0616P3HIGHCVSS 7.5v2.0v2.5+1 more2003-08-27
CVE-2003-0616 [HIGH] CVE-2003-0616: Format string vulnerability in ePO service for McAfee ePolicy Orchestrator 2.0, 2.5, and 2.5.1 allow
Format string vulnerability in ePO service for McAfee ePolicy Orchestrator 2.0, 2.5, and 2.5.1 allows remote attackers to execute arbitrary code via a POST request with format strings in the computerlist parameter, which are used when logging a failed name resolution.
nvd
CVE-2003-0149P4HIGHCVSS 7.5v2.0v2.5+1 more2003-08-27
CVE-2003-0149 [HIGH] CVE-2003-0149: Heap-based buffer overflow in ePO agent for McAfee ePolicy Orchestrator 2.0, 2.5, and 2.5.1 allows r
Heap-based buffer overflow in ePO agent for McAfee ePolicy Orchestrator 2.0, 2.5, and 2.5.1 allows remote attackers to execute arbitrary code via a POST request containing long parameters.
nvd
CVE-2006-5274P4HIGHCVSS 7.6v3.5.0v3.6.02007-07-12
CVE-2006-5274 [HIGH] CVE-2006-5274: Integer overflow in McAfee ePolicy Orchestrator 3.5 through 3.6.1, ProtectionPilot 1.1.1 and 1.5, an
Integer overflow in McAfee ePolicy Orchestrator 3.5 through 3.6.1, ProtectionPilot 1.1.1 and 1.5, and Common Management Agent (CMA) 3.5.5.438 allows remote attackers to cause a denial of service (CMA Framework service crash) and possibly execute arbitrary code via unspecified vectors.
nvd
CVE-2014-2205P4MEDIUMCVSS 6.3≤ 4.6.7v4.6.0+6 more2014-02-26
CVE-2014-2205 [MEDIUM] CWE-264 CVE-2014-2205: The Import and Export Framework in McAfee ePolicy Orchestrator (ePO) before 4.6.7 Hotfix 940148 allo
The Import and Export Framework in McAfee ePolicy Orchestrator (ePO) before 4.6.7 Hotfix 940148 allows remote authenticated users with permissions to add dashboards to read arbitrary files by importing a crafted XML file, related to an XML External Entity (XXE) issue.
nvd
CVE-2022-0859P4MEDIUMCVSS 6.7fixed in 5.10.0v5.10.02022-03-23
CVE-2022-0859 [MEDIUM] CWE-522 CVE-2022-0859: McAfee Enterprise ePolicy Orchestrator (ePO) prior to 5.10 Update 13 allows a local attacker to poin
McAfee Enterprise ePolicy Orchestrator (ePO) prior to 5.10 Update 13 allows a local attacker to point an ePO server to an arbitrary SQL server during the restoration of the ePO server. To achieve this the attacker would have to be logged onto the server hosting the ePO server (restricted to administrators) and to know the SQL server password.
nvd
CVE-2020-14621P4MEDIUMCVSS 5.3v5.9.0v5.9.1+1 more2020-07-15
CVE-2020-14621 [MEDIUM] CVE-2020-14621: Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JAXP). Supporte
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JAXP). Supported versions that are affected are Java SE: 7u261, 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful
nvd
CVE-2022-3338P4MEDIUMCVSS 5.4fixed in 5.10.0v5.10.02022-10-18
CVE-2022-3338 [MEDIUM] CWE-611 CVE-2022-3338: An External XML entity (XXE) vulnerability in ePO prior to 5.10 Update 14 can lead to an unauthentic
An External XML entity (XXE) vulnerability in ePO prior to 5.10 Update 14 can lead to an unauthenticated remote attacker to potentially trigger a Server Side Request Forgery attack. This can be exploited by mimicking the Agent Handler call to ePO and passing the carefully constructed XML file through the API.
nvd
CVE-2020-13938P4MEDIUMCVSS 5.5fixed in 5.10.0v5.10.02021-06-10
CVE-2020-13938 [MEDIUM] CWE-862 CVE-2020-13938: Apache HTTP Server versions 2.4.0 to 2.4.46 Unprivileged local users can stop httpd on Windows
Apache HTTP Server versions 2.4.0 to 2.4.46 Unprivileged local users can stop httpd on Windows
nvd
CVE-2022-0862P4MEDIUMCVSS 5.3fixed in 5.10.0v5.10.02022-03-23
CVE-2022-0862 [MEDIUM] CWE-522 CVE-2022-0862: A lack of password change protection vulnerability in a depreciated API of McAfee Enterprise ePolicy
A lack of password change protection vulnerability in a depreciated API of McAfee Enterprise ePolicy Orchestrator (ePO) prior to 5.10 Update 13 allows a remote attacker to change the password of a compromised session without knowing the existing user's password. This functionality was removed from the User Interface in ePO 10 and the API has now been
nvd
CVE-2018-6672P4MEDIUMCVSS 6.5≥ 5.3.0, ≤ 5.3.3≥ 5.9.0, ≤ 5.9.1+2 more2018-06-15
CVE-2018-6672 [MEDIUM] CWE-200 CVE-2018-6672: Information disclosure vulnerability in McAfee ePolicy Orchestrator (ePO) 5.3.0 through 5.3.3 and 5.
Information disclosure vulnerability in McAfee ePolicy Orchestrator (ePO) 5.3.0 through 5.3.3 and 5.9.0 through 5.9.1 allows authenticated users to view sensitive information in plain text format via unspecified vectors.
nvd