CVE-2023-3946

MEDIUM

Mcafee Epolicy Orchestrator < 5.10.0 - XSS

Title source: rule

Description

A reflected cross-site scripting (XSS) vulnerability in ePO prior to 5.10 SP1 Update 1allows a remote unauthenticated attacker to potentially obtain access to an ePO administrator's session by convincing the authenticated ePO administrator to click on a carefully crafted link. This would lead to limited access to sensitive information and limited ability to alter some information in ePO.

References (1)

[Vendor Advisory] https://kcm.trellix.com/corporate/index?page=content&id=SB10402

Scores

CVSS v3 5.4

EPSS 0.0025

EPSS Percentile 47.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Classification

CWE

CWE-79

Status published

Affected Products (19)

mcafee/epolicy_orchestrator < 5.10.0

mcafee/epolicy_orchestrator

... and 4 more

Timeline

Published Jul 26, 2023

Tracked Since Feb 18, 2026