Open Redirect Vulnerability in ePolicy Orchestrator by Trellix
CVE-2023-5445

5.4MEDIUM

Key Information:

Vendor: Trellix
Status: ePolicy Orchestrator
Vendor: CVE Published:; 17 November 2023

Summary

An open redirect vulnerability exists in ePolicy Orchestrator versions prior to 5.10.0 CP1 Update 2, allowing low privileged remote users to manipulate the URL parameter. This can facilitate the redirection of users to malicious sites, specifically from the dashboard area of the application. Affected users must be logged into ePolicy Orchestrator to exploit this vulnerability, which involves altering the HTTP payload after submission before it reaches the ePO server.

Affected Version(s)

ePolicy Orchestrator Prior to 5.10.0 SP1 UP2

References

https://kcm.trellix.com/corporate/index?page=content&id=S...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Nov 17, 2023
Vulnerability Reserved
Oct 6, 2023

Credit

Lukasz Plonka