CVE-2009-3566

Mcafee Intrushield Network Security Manager < 5.1.7.74 - XSS

Title source: rule

Description

McAfee IntruShield Network Security Manager (NSM) before 5.1.11.8.1 does not include the HTTPOnly flag in the Set-Cookie header for the session identifier, which allows remote attackers to hijack a session by leveraging a cross-site scripting (XSS) vulnerability.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Daniel King · textwebappsjsp

https://www.exploit-db.com/exploits/33347

View Code ZIP pw:eip

References (9)

[Vendor Advisory] http://secunia.com/advisories/37178

[Various Sources] http://www.secureworks.com/ctu/advisories/SWRX-2009-002

[Exploit] http://www.securityfocus.com/bid/37004

[Vendor Advisory] http://www.vupen.com/english/advisories/2009/3226

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/54251

[Vendor Advisory] https://kc.mcafee.com/corporate/index?page=content&id=SB10005

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/archive/1/507822/100/0/threaded

[Third Party Advisory, VDB Entry] http://www.osvdb.org/59912

[Third Party Advisory, VDB Entry] http://securitytracker.com/id?1023172

Scores

EPSS 0.0512

EPSS Percentile 89.7%

Classification

CWE

CWE-79

Status published

Affected Products (4)

mcafee/intrushield_network_security_manager < 5.1.7.74

mcafee/intrushield_network_security_manager

mcafee/intrushield_network_security_manager

n/a/n/a

Timeline

Published Nov 13, 2009

Tracked Since Feb 18, 2026