CVE-2023-5444

A Cross Site Request Forgery vulnerability in ePolicy Orchestrator prior to 5.10.0 CP1 Update 2 allows a remote low privilege user to successfully add a new user with administrator privileges to the ePO server. This impacts the dashboard area of the user interface. To exploit this the attacker must change the HTTP payload post submission, prior to it reaching the ePO server.
CSRF
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
trellixCNA
8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 55%
VendorProductVersion
mcafeeepolicy_orchestrator
𝑥
< 5.10.0
mcafeeepolicy_orchestrator
5.10.0:service_pack_1_update
mcafeeepolicy_orchestrator
5.10.0:service_pack_1_update_1
mcafeeepolicy_orchestrator
5.10.0:update_1
mcafeeepolicy_orchestrator
5.10.0:update_10
mcafeeepolicy_orchestrator
5.10.0:update_11
mcafeeepolicy_orchestrator
5.10.0:update_11_hotfix_1
mcafeeepolicy_orchestrator
5.10.0:update_11_hotfix_2
mcafeeepolicy_orchestrator
5.10.0:update_12
mcafeeepolicy_orchestrator
5.10.0:update_13
mcafeeepolicy_orchestrator
5.10.0:update_14
mcafeeepolicy_orchestrator
5.10.0:update_15
mcafeeepolicy_orchestrator
5.10.0:update_2
mcafeeepolicy_orchestrator
5.10.0:update_3
mcafeeepolicy_orchestrator
5.10.0:update_4
mcafeeepolicy_orchestrator
5.10.0:update_5
mcafeeepolicy_orchestrator
5.10.0:update_6
mcafeeepolicy_orchestrator
5.10.0:update_7
mcafeeepolicy_orchestrator
5.10.0:update_8
mcafeeepolicy_orchestrator
5.10.0:update_9
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://kcm.trellix.com/agent/index?page=content&id=SB10410
https://kcm.trellix.com/agent/index?page=content&id=SB10410