McAfee Discloses XSS Vulnerability in Its Security Management Console


Positive Technologies discovered a cross-site scripting bug in McAfee ePolicy Orchestrator which can lead to arbitrary web script or HTML code injection. Here’s how to fix it.

A security researcher at Positive Technologies has discovered a vulnerability in McAfee’s ePolicy Orchestrator (ePO), used by over 36,000 organizations. McAfee ePO is a security management solution that centralizes endpoint, network, data security, and brings operational harmony between security and IT operations teams.

The vulnerability, tracked CVE-2020-7318Opens a new window , is a cross-site scripting bug that could allow hackers to exploit the elevated privileges of a system administrator. Hackers can also trick system administrators into clicking a malicious link and inject arbitrary web script or HTML code.

Mikhail KlyuchnikovOpens a new window , Senior Web Application Security Researcher at Positive Technologies who discovered the flaw told Toolbox, “This cross-site scripting flaw could allow criminals to trick administrators into disabling protection. It could also enable further attack development through the identification of additional vulnerabilities on the network.”

See Also: Cisco Patches Critical Code Execution Bug in Webex Meetings for Windows

With a CVSS score of 4.6, the XSS vulnerability has a moderate severity rating. Despite the low score on the CVSS scale, the flaw can potentially lead to internal as well as externally-sourced attacks and affects both SaaS and IaaS-base versions of McAfee ePO.  “This vulnerability in McAfee ePolicy Orchestrator is important for organizations to patch. The security management console is used by organizations to protect endpoints, networks, and data, and ensure compliance with security standards,” said Klyuchnikov.

Users of McAfee ePO need to immediately update systems to ePO 5.10.0 Update 9 to mitigate the threat from CVE-2020-7318.

Was this news helpful? Let us know on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!