Multiple cross-site scripting (XSS) vulnerabilities in McAfee ePolicy Orchestrator 4.6.6 and previous versions, and the ePO Extension for the McAfee Agent (MA) 4.5 up to and including 4.6, allow remote malicious users to inject arbitrary web script or HTML via the (1) instanceId parameter core/loadDisplayType.do; (2) instanceId or (3) monitorUrl parameter to console/createDashboardContainer.do; uid parameter to (4) ComputerMgmt/sysDetPanelBoolPie.do or (5) ComputerMgmt/sysDetPanelSummary.do; (6) uid, (7) orion.user.security.token, or (8) ajaxMode parameter to ComputerMgmt/sysDetPanelQry.do; or (9) uid, (10) orion.user.security.token, or (11) ajaxMode parameter to ComputerMgmt/sysDetPanelSummary.do.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
mcafee epolicy orchestrator 4.6.3 |
||
mcafee epolicy orchestrator 4.6.2 |
||
mcafee epolicy orchestrator agent 4.6 |
||
mcafee epolicy orchestrator 4.6.0 |
||
mcafee epolicy orchestrator 4.6.1 |
||
mcafee epolicy orchestrator 4.6.5 |
||
mcafee epolicy orchestrator 4.6.4 |
||
mcafee epolicy orchestrator |
||
mcafee epolicy orchestrator agent 4.5 |