XML External Entity Vulnerability in McAfee ePolicy Orchestrator
CVE-2015-0921

Currently unrated

Key Information:

Vendor: Mcafee
Status: Epolicy Orchestrator
Vendor: CVE Published:; 9 January 2015

Summary

An XML external entity (XXE) vulnerability exists in the Server Task Log of McAfee ePolicy Orchestrator prior to version 4.6.9 and versions 5.x before 5.1.2. This flaw allows remote authenticated users to read arbitrary files by exploiting the conditionXML parameter when interacting with the taskLogTable and orionUpdateTableFilter.do. This can lead to unintended information disclosure, thereby compromising the integrity of sensitive data.

References

http://secunia.com/advisories/61922

third-party-advisoryx_refsource_SECUNIA

http://seclists.org/fulldisclosure/2015/Jan/37

mailing-listx_refsource_FULLDISC

https://kc.mcafee.com/corporate/index?page=content&id=SB1...

x_refsource_CONFIRM

EPSS Score

58% chance of being exploited in the next 30 days.

Timeline

Vulnerability published
Jan 9, 2015
Vulnerability Reserved
Jan 9, 2015