McAfee EPolicy Orchestrator XML External Entity Information Disclosure Vulnerability Network Vulnerability

Summary

McAfee ePolicy Orchestrator is prone to an XML External Entity vulnerability

Impact

An attacker can exploit this issue to gain access to sensitive information from the application this may lead to further attacks.

Solution

Updates are available.

Insight

The Import and Export Framework in McAfee ePolicy Orchestrator (ePO) before 4.6.7 Hotfix 940148 allows remote authenticated users with permissions to add dashboards to read arbitrary files by importing a crafted XML file, related to an XML External Entity (XXE) issue.

Affected

McAfee ePolicy Orchestrator 4.6.7 and prior are vulnerable.

Detection

Check the version

References

http://www.mcafee.com/us/enterprise/products/system_security_management/epolicy_orchestrator.html
http://www.securityfocus.com/bid/65771

Updated on 2015-03-25

Severity

Classification

CVE CVE-2014-2205

CVSS	Base Score: 6.3 AV:N/AC:M/Au:S/C:C/I:N/A:N

Related Vulnerabilities

Adobe BlazeDS XML and XML External Entity Injection Vulnerabilities
Apache CouchDB Cross Site Request Forgery Vulnerability
Apache Tomcat source.jsp malformed request information disclosure
Apache Roller 'q' Parameter Cross Site Scripting Vulnerability
Aardvark Topsites <= 4.2.2 Remote File Inclusion Vulnerability

McAfee ePolicy Orchestrator XML External Entity Information Disclosure Vulnerability

Take action and discover your vulnerabilities