Vulnerability Description
XML external entity (XXE) vulnerability in the Server Task Log in McAfee ePolicy Orchestrator (ePO) before 4.6.9 and 5.x before 5.1.2 allows remote authenticated users to read arbitrary files via the conditionXML parameter to the taskLogTable to orionUpdateTableFilter.do.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mcafee | Epolicy Orchestrator | <= 4.6.8 |
References
- http://packetstormsecurity.com/files/129827/McAfee-ePolicy-Orchestrator-AuthentiExploitThird Party AdvisoryVDB Entry
- http://seclists.org/fulldisclosure/2015/Jan/37Mailing ListThird Party Advisory
- http://seclists.org/fulldisclosure/2015/Jan/8Mailing ListThird Party Advisory
- http://secunia.com/advisories/61922
- http://www.securitytracker.com/id/1031519
- https://exchange.xforce.ibmcloud.com/vulnerabilities/99950
- https://gist.github.com/brandonprry/692e553975bf29aeaf2c
- https://kc.mcafee.com/corporate/index?page=content&id=SB10095PatchVendor Advisory
- http://packetstormsecurity.com/files/129827/McAfee-ePolicy-Orchestrator-AuthentiExploitThird Party AdvisoryVDB Entry
- http://seclists.org/fulldisclosure/2015/Jan/37Mailing ListThird Party Advisory
- http://seclists.org/fulldisclosure/2015/Jan/8Mailing ListThird Party Advisory
- http://secunia.com/advisories/61922
- http://www.securitytracker.com/id/1031519
- https://exchange.xforce.ibmcloud.com/vulnerabilities/99950
- https://gist.github.com/brandonprry/692e553975bf29aeaf2c
FAQ
What is CVE-2015-0921?
CVE-2015-0921 is a vulnerability with a CVSS score of 4.0 (MEDIUM). XML external entity (XXE) vulnerability in the Server Task Log in McAfee ePolicy Orchestrator (ePO) before 4.6.9 and 5.x before 5.1.2 allows remote authenticated users to read arbitrary files via the ...
How severe is CVE-2015-0921?
CVE-2015-0921 has been rated MEDIUM with a CVSS base score of 4.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2015-0921?
Check the references section above for vendor advisories and patch information. Affected products include: Mcafee Epolicy Orchestrator.