CVE-2009-3566

Mcafee Intrushield Network Security Manager < 5.1.7.74 - XSS

Title source: rule

Description

McAfee IntruShield Network Security Manager (NSM) before 5.1.11.8.1 does not include the HTTPOnly flag in the Set-Cookie header for the session identifier, which allows remote attackers to hijack a session by leveraging a cross-site scripting (XSS) vulnerability.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Daniel King · textwebappsjsp

https://www.exploit-db.com/exploits/33347

View Code ZIP pw:eip

References (9)

Core 9

Core References

Vendor Advisory x_refsource_confirm

https://kc.mcafee.com/corporate/index?page=content&id=SB10005

Vendor Advisory vdb-entry x_refsource_vupen

http://www.vupen.com/english/advisories/2009/3226

Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack

http://securitytracker.com/id?1023172

Exploit vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/37004

Third Party Advisory, VDB Entry vdb-entry x_refsource_xf

https://exchange.xforce.ibmcloud.com/vulnerabilities/54251

Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb

http://www.osvdb.org/59912

Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq

http://www.securityfocus.com/archive/1/507822/100/0/threaded

Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/37178

Various Sources x_refsource_misc

http://www.secureworks.com/ctu/advisories/SWRX-2009-002

Scores

EPSS 0.0512

EPSS Percentile 89.9%

Details

CWE

CWE-79

Status published

Products (3)

mcafee/intrushield_network_security_manager 5.1.7.7

mcafee/intrushield_network_security_manager 5.1.7.73

mcafee/intrushield_network_security_manager < 5.1.7.74

Published Nov 13, 2009

Tracked Since Feb 18, 2026