CVE-2023-5444

EPSS 0.34%
Published 17.11.2023 10:15:07
Last modified 21.11.2024 08:41:46
Source trellixpsirt@trellix.com
Teams watchlist Login
Open Login

A Cross Site Request Forgery vulnerability in ePolicy Orchestrator prior to 5.10.0 CP1 Update 2 allows a remote low privilege user to successfully add a new user with administrator privileges to the ePO server. This impacts the dashboard area of the user interface. To exploit this the attacker must change the HTTP payload post submission, prior to it reaching the ePO server.

Affected products Warnungen 0 Metrics 3 CWE 1 References 4

Data is provided by the National Vulnerability Database (NVD)

Mcafee ≫ Epolicy Orchestrator Version < 5.10.0

Mcafee ≫ Epolicy Orchestrator Version5.10.0 Updateservice_pack_1_update

Mcafee ≫ Epolicy Orchestrator Version5.10.0 Updateservice_pack_1_update_1

Mcafee ≫ Epolicy Orchestrator Version5.10.0 Updateupdate_1

Mcafee ≫ Epolicy Orchestrator Version5.10.0 Updateupdate_10

Mcafee ≫ Epolicy Orchestrator Version5.10.0 Updateupdate_11

Mcafee ≫ Epolicy Orchestrator Version5.10.0 Updateupdate_11_hotfix_1

Mcafee ≫ Epolicy Orchestrator Version5.10.0 Updateupdate_11_hotfix_2

Mcafee ≫ Epolicy Orchestrator Version5.10.0 Updateupdate_12

Mcafee ≫ Epolicy Orchestrator Version5.10.0 Updateupdate_13

Mcafee ≫ Epolicy Orchestrator Version5.10.0 Updateupdate_14

Mcafee ≫ Epolicy Orchestrator Version5.10.0 Updateupdate_15

Mcafee ≫ Epolicy Orchestrator Version5.10.0 Updateupdate_2

Mcafee ≫ Epolicy Orchestrator Version5.10.0 Updateupdate_3

Mcafee ≫ Epolicy Orchestrator Version5.10.0 Updateupdate_4

Mcafee ≫ Epolicy Orchestrator Version5.10.0 Updateupdate_5

Mcafee ≫ Epolicy Orchestrator Version5.10.0 Updateupdate_6

Mcafee ≫ Epolicy Orchestrator Version5.10.0 Updateupdate_7

Mcafee ≫ Epolicy Orchestrator Version5.10.0 Updateupdate_8

Mcafee ≫ Epolicy Orchestrator Version5.10.0 Updateupdate_9

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.34%	0.556

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	8	2.1	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
trellixpsirt@trellix.com	8	2.1	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

https://kcm.trellix.com/agent/index?page=content&id=SB10410

Permissions Required

https://nvd.nist.gov/vuln/detail/CVE-2023-5444

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-5444

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-5444

EUVD