McAfee EPolicy Orchestrator (ePO) Multiple Vulnerabilities-01 August13 Network Vulnerability

Summary

This host is running McAfee ePolicy Orchestrator and is prone to multiple vulnerabilities.

Impact

Successful exploitation will allow remote attackers to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data

Solution

Upgrade to McAfee ePolicy Orchestrator version 5.0 or 4.6.6 or 4.5.7 or later, For updates refer to http://www.mcafee.com/in/products/epolicy-orchestrator.aspx

Insight

Flaws are due to improper sanitation of user supplied input via 'uid' parameter to /EPOAGENTMETA/DisplayMSAPropsDetail.do script and specifically directory traversal style (e.g., ../../).

Affected

McAfee ePolicy Orchestrator (ePO) version before 4.5.7 and 4.6.x before 4.6.6

Detection

Get the installed version with the help detect NVT and check the version is vulnerable or not.

References

http://secunia.com/advisories/53196
http://www.kb.cert.org/vuls/id/209131
http://www.osvdb.com/92800
http://www.osvdb.com/92801
https://kc.mcafee.com/corporate/index?page=content&id=SB10042

Updated on 2015-03-25

Severity

Classification

CVE CVE-2013-0140, CVE-2013-0141

CVSS	Base Score: 7.9 AV:A/AC:M/Au:N/C:C/I:C/A:C

Related Vulnerabilities

b2Evolution title SQL Injection
AlienVault Open Source SIEM (OSSIM) 'timestamp' Parameter Directory Traversal Vulnerability
appRain CMF SQL Injection And Cross Site Scripting Vulnerabilities
artmedic_links5 File Inclusion Vulnerability
Adobe ColdFusion Information Disclosure Vulnerability

McAfee ePolicy Orchestrator (ePO) Multiple Vulnerabilities-01 August13

Take action and discover your vulnerabilities