SB2018042418 - Multiple vulnerabilities in McAfee products

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Cross-site scripting (CVE-ID: CVE-2018-6659)

The vulnerability allows a remote authenticated attacker to perform cross-site scripting (XSS) attacks.

The weakness exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

2) Path traversal (CVE-ID: CVE-2018-6660)

The vulnerability allows an adjacent attacker to obtain potentially sensitive information on the target system.

The weakness exists due to path traversal. An adjacent attacker can export a specially crafted XML file, use Windows alternate data streams, bypass the file extensions via improper validation of the path and gain access to potentially sensitive information.

3) Insecure DLL loading (CVE-ID: CVE-2018-6661)

The vulnerability allows a local attacker to gain elevated privileges on the target system.

The weakness exists in Microsoft Windows Client due to insecure .dll loading mechanism when opening files. A local attacker can place a file along with a specially crafted .dll file on a remote SBM or WebDAV share and gain root privileges.

Remediation

Install update from vendor's website.

References

• https://kc.mcafee.com/corporate/index?page=content&id=SB10228
• https://service.mcafee.com/webcenter/portal/cp/home/articleview;jsessionid=cw33gi8_smALxPDOkXgwjbb22...