CVE-2013-4883

22.07.2013, 11:21

Multiple cross-site scripting (XSS) vulnerabilities in McAfee ePolicy Orchestrator 4.6.6 and earlier, and the ePO Extension for the McAfee Agent (MA) 4.5 through 4.6, allow remote attackers to inject arbitrary web script or HTML via the (1) instanceId parameter core/loadDisplayType.do; (2) instanceId or (3) monitorUrl parameter to console/createDashboardContainer.do; uid parameter to (4) ComputerMgmt/sysDetPanelBoolPie.do or (5) ComputerMgmt/sysDetPanelSummary.do; (6) uid, (7) orion.user.security.token, or (8) ajaxMode parameter to ComputerMgmt/sysDetPanelQry.do; or (9) uid, (10) orion.user.security.token, or (11) ajaxMode parameter to ComputerMgmt/sysDetPanelSummary.do.

Cross-site Scripting

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Vector
NIST	NIST	4.3 UNKNOWN	NETWORK	MEDIUM	AV:N/AC:M/Au:N/C:N/I:P/A:N
mitre	CNA	---			---
CVE	ADP	---			---

Base Score

CVSS 3.x

EPSS Score

Percentile: 86%

Vendor	Product	Version
mcafee	epolicy_orchestrator	𝑥 ≤ 4.6.6
mcafee	epolicy_orchestrator	4.6.0
mcafee	epolicy_orchestrator	4.6.1
mcafee	epolicy_orchestrator	4.6.2
mcafee	epolicy_orchestrator	4.6.3
mcafee	epolicy_orchestrator	4.6.4
mcafee	epolicy_orchestrator	4.6.5
mcafee	epolicy_orchestrator_agent	4.5
mcafee	epolicy_orchestrator_agent	4.6