Search Results (Refine Search)
- Keyword (text search): cpe:2.3:a:mcafee:epolicy_orchestrator:3.5.0:*:*:*:*:*:*:*
- CPE Name Search: true
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2021-23889 |
Cross-Site Scripting vulnerability in McAfee ePolicy Orchestrator (ePO) prior to 5.10 Update 10 allows ePO administrators to inject arbitrary web script or HTML via multiple parameters where the administrator's entries were not correctly sanitized. Published: March 26, 2021; 6:15:12 AM -0400 |
V4.0:(not available) V3.1: 4.8 MEDIUM V2.0: 3.5 LOW |
CVE-2021-23888 |
Unvalidated client-side URL redirect vulnerability in McAfee ePolicy Orchestrator (ePO) prior to 5.10 Update 10 could cause an authenticated ePO user to load an untrusted site in an ePO iframe which could steal information from the authenticated user. Published: March 26, 2021; 6:15:11 AM -0400 |
V4.0:(not available) V3.1: 6.3 MEDIUM V2.0: 4.9 MEDIUM |
CVE-2021-23840 |
Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x). Published: February 16, 2021; 12:15:13 PM -0500 |
V4.0:(not available) V3.1: 7.5 HIGH V2.0: 5.0 MEDIUM |
CVE-2020-7317 |
Cross-Site Scripting vulnerability in McAfee ePolicy Orchistrator (ePO) prior to 5.10.9 Update 9 allows administrators to inject arbitrary web script or HTML via parameter values for "syncPointList" not being correctly sanitsed. Published: October 14, 2020; 3:15:14 PM -0400 |
V4.0:(not available) V3.1: 4.3 MEDIUM V2.0: 2.3 LOW |
CVE-2019-3604 |
Cross-Site Request Forgery (CSRF) vulnerability in McAfee ePO (legacy) Cloud allows unauthenticated users to perform unintended ePO actions using an authenticated user's session via unspecified vectors. Published: February 01, 2019; 10:29:00 AM -0500 |
V4.0:(not available) V3.0: 8.8 HIGH V2.0: 6.8 MEDIUM |
CVE-2017-3980 |
A directory traversal vulnerability in the ePO Extension in McAfee ePolicy Orchestrator (ePO) 5.9.0, 5.3.2, and 5.1.3 and earlier allows remote authenticated users to execute a command of their choice via an authenticated ePO session. Published: May 18, 2017; 3:29:00 PM -0400 |
V4.0:(not available) V3.0: 7.2 HIGH V2.0: 6.5 MEDIUM |
CVE-2015-8765 |
Intel McAfee ePolicy Orchestrator (ePO) 4.6.9 and earlier, 5.0.x, 5.1.x before 5.1.3 Hotfix 1106041, and 5.3.x before 5.3.1 Hotfix 1106041 allow remote attackers to execute arbitrary code via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library. Published: January 08, 2016; 3:59:03 PM -0500 |
V4.0:(not available) V3.0: 8.3 HIGH V2.0: 7.5 HIGH |
CVE-2015-4559 |
Cross-site scripting (XSS) vulnerability in the product deployment feature in the Java core web services in Intel McAfee ePolicy Orchestrator (ePO) before 5.1.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Published: June 15, 2015; 11:59:14 AM -0400 |
V4.0:(not available) V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2015-0922 |
McAfee ePolicy Orchestrator (ePO) before 4.6.9 and 5.x before 5.1.2 uses the same secret key across different customers' installations, which allows attackers to obtain the administrator password by leveraging knowledge of the encrypted password. Published: January 09, 2015; 1:59:11 PM -0500 |
V4.0:(not available) V3.x:(not available) V2.0: 5.0 MEDIUM |
CVE-2015-0921 |
XML external entity (XXE) vulnerability in the Server Task Log in McAfee ePolicy Orchestrator (ePO) before 4.6.9 and 5.x before 5.1.2 allows remote authenticated users to read arbitrary files via the conditionXML parameter to the taskLogTable to orionUpdateTableFilter.do. Published: January 09, 2015; 1:59:10 PM -0500 |
V4.0:(not available) V3.x:(not available) V2.0: 4.0 MEDIUM |
CVE-2014-2205 |
The Import and Export Framework in McAfee ePolicy Orchestrator (ePO) before 4.6.7 Hotfix 940148 allows remote authenticated users with permissions to add dashboards to read arbitrary files by importing a crafted XML file, related to an XML External Entity (XXE) issue. Published: February 26, 2014; 10:55:08 AM -0500 |
V4.0:(not available) V3.x:(not available) V2.0: 6.3 MEDIUM |
CVE-2013-4883 |
Multiple cross-site scripting (XSS) vulnerabilities in McAfee ePolicy Orchestrator 4.6.6 and earlier, and the ePO Extension for the McAfee Agent (MA) 4.5 through 4.6, allow remote attackers to inject arbitrary web script or HTML via the (1) instanceId parameter core/loadDisplayType.do; (2) instanceId or (3) monitorUrl parameter to console/createDashboardContainer.do; uid parameter to (4) ComputerMgmt/sysDetPanelBoolPie.do or (5) ComputerMgmt/sysDetPanelSummary.do; (6) uid, (7) orion.user.security.token, or (8) ajaxMode parameter to ComputerMgmt/sysDetPanelQry.do; or (9) uid, (10) orion.user.security.token, or (11) ajaxMode parameter to ComputerMgmt/sysDetPanelSummary.do. Published: July 22, 2013; 7:21:15 AM -0400 |
V4.0:(not available) V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2013-4882 |
Multiple SQL injection vulnerabilities in McAfee ePolicy Orchestrator 4.6.6 and earlier, and the ePolicy Orchestrator (ePO) extension for McAfee Agent (MA) 4.5 and 4.6, allow remote authenticated users to execute arbitrary SQL commands via the uid parameter to (1) core/showRegisteredTypeDetails.do and (2) EPOAGENTMETA/DisplayMSAPropsDetail.do, a different vulnerability than CVE-2013-0140. Published: July 22, 2013; 7:21:15 AM -0400 |
V4.0:(not available) V3.x:(not available) V2.0: 6.5 MEDIUM |
CVE-2013-0141 |
Directory traversal vulnerability in McAfee ePolicy Orchestrator (ePO) before 4.5.7 and 4.6.x before 4.6.6 allows remote attackers to upload arbitrary files via a crafted request over the Agent-Server communication channel, as demonstrated by writing to the Software/ directory. Published: May 01, 2013; 8:00:07 AM -0400 |
V4.0:(not available) V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2013-0140 |
SQL injection vulnerability in the Agent-Handler component in McAfee ePolicy Orchestrator (ePO) before 4.5.7 and 4.6.x before 4.6.6 allows remote attackers to execute arbitrary SQL commands via a crafted request over the Agent-Server communication channel. Published: May 01, 2013; 8:00:07 AM -0400 |
V4.0:(not available) V3.x:(not available) V2.0: 7.9 HIGH |
CVE-2012-4594 |
McAfee ePolicy Orchestrator (ePO) 4.6.1 and earlier allows remote authenticated users to bypass intended access restrictions, and obtain sensitive information from arbitrary reporting panels, via a modified ID value in a console URL. Published: August 22, 2012; 6:42:05 AM -0400 |
V4.0:(not available) V3.x:(not available) V2.0: 4.0 MEDIUM |
CVE-2006-5274 |
Integer overflow in McAfee ePolicy Orchestrator 3.5 through 3.6.1, ProtectionPilot 1.1.1 and 1.5, and Common Management Agent (CMA) 3.5.5.438 allows remote attackers to cause a denial of service (CMA Framework service crash) and possibly execute arbitrary code via unspecified vectors. Published: July 11, 2007; 8:30:00 PM -0400 |
V4.0:(not available) V3.x:(not available) V2.0: 7.6 HIGH |
CVE-2007-1498 |
Multiple stack-based buffer overflows in the SiteManager.SiteMgr.1 ActiveX control (SiteManager.dll) in the ePO management console in McAfee ePolicy Orchestrator (ePO) before 3.6.1 Patch 1 and ProtectionPilot (PRP) before 1.5.0 HotFix allow remote attackers to execute arbitrary code via a long argument to the (1) ExportSiteList and (2) VerifyPackageCatalog functions, and (3) unspecified vectors involving a swprintf function call. Published: March 16, 2007; 6:19:00 PM -0400 |
V4.0:(not available) V3.x:(not available) V2.0: 9.3 HIGH |
CVE-2006-5156 |
Buffer overflow in McAfee ePolicy Orchestrator before 3.5.0.720 and ProtectionPilot before 1.1.1.126 allows remote attackers to execute arbitrary code via a request to /spipe/pkg/ with a long source header. Published: October 05, 2006; 12:04:00 AM -0400 |
V4.0:(not available) V3.x:(not available) V2.0: 10.0 HIGH |