Description
Multiple cross-site scripting (XSS) vulnerabilities in McAfee ePolicy Orchestrator 4.6.6 and earlier, and the ePO Extension for the McAfee Agent (MA) 4.5 through 4.6, allow remote attackers to inject arbitrary web script or HTML via the (1) instanceId parameter core/loadDisplayType.do; (2) instanceId or (3) monitorUrl parameter to console/createDashboardContainer.do; uid parameter to (4) ComputerMgmt/sysDetPanelBoolPie.do or (5) ComputerMgmt/sysDetPanelSummary.do; (6) uid, (7) orion.user.security.token, or (8) ajaxMode parameter to ComputerMgmt/sysDetPanelQry.do; or (9) uid, (10) orion.user.security.token, or (11) ajaxMode parameter to ComputerMgmt/sysDetPanelSummary.do.
Exploits (1)
References (8)
Core 8
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_osvdb
http://osvdb.org/95190
Third Party Advisory, VDB Entry vdb-entry
x_refsource_osvdb
http://osvdb.org/95188
Third Party Advisory, VDB Entry vdb-entry
x_refsource_osvdb
http://osvdb.org/95187
Third Party Advisory, VDB Entry vdb-entry
x_refsource_osvdb
http://osvdb.org/95191
Third Party Advisory, VDB Entry vdb-entry
x_refsource_osvdb
http://osvdb.org/95189
Third Party Advisory, VDB Entry mailing-list
x_refsource_bugtraq
http://www.securityfocus.com/archive/1/527228
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1028803
Vendor Advisory x_refsource_confirm
https://kc.mcafee.com/corporate/index?page=content&id=KB78824
Scores
EPSS
0.0342
EPSS Percentile
87.5%
Details
CWE
CWE-79
Status
published
Products (9)
mcafee/epolicy_orchestrator
4.6.0
mcafee/epolicy_orchestrator
4.6.1
mcafee/epolicy_orchestrator
4.6.2
mcafee/epolicy_orchestrator
4.6.3
mcafee/epolicy_orchestrator
4.6.4
mcafee/epolicy_orchestrator
4.6.5
mcafee/epolicy_orchestrator
< 4.6.6
mcafee/epolicy_orchestrator_agent
4.5
mcafee/epolicy_orchestrator_agent
4.6
Published
Jul 22, 2013
Tracked Since
Feb 18, 2026