Path traversal in McAfee ePolicy Orchestrator - CVE-2018-6660
Published: April 24, 2018
Vulnerability identifier: #VU12136
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2018-6660
CWE-ID: CWE-22
Exploitation vector: Adjecent network
Exploit availability:
No public exploit available
Vendor: McAfee
Affected software:
McAfee ePolicy Orchestrator
McAfee ePolicy Orchestrator
Detailed vulnerability description
The vulnerability allows an adjacent attacker to obtain potentially sensitive information on the target system.
The weakness exists due to path traversal. An adjacent attacker can export a specially crafted XML file, use Windows alternate data streams, bypass the file extensions via improper validation of the path and gain access to potentially sensitive information.
The weakness exists due to path traversal. An adjacent attacker can export a specially crafted XML file, use Windows alternate data streams, bypass the file extensions via improper validation of the path and gain access to potentially sensitive information.
How to mitigate CVE-2018-6660
Update to versions 5.3.3 or 5.9.1.