SQL injection in McAfee ePolicy Orchestrator - CVE-2016-8027
Published: February 3, 2017 / Updated: February 8, 2017
Vulnerability identifier: #VU5654
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2016-8027
CWE-ID: CWE-89
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: McAfee
Affected software:
McAfee ePolicy Orchestrator
McAfee ePolicy Orchestrator
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary SQL commands in web application database.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can send a specially crafted HTTP POST request to vulnerable script and execute arbitrary SQL commands in web application database.
Successful exploitation of the vulnerability may allow an attacker to gain administrative access to vulnerable web application.
How to mitigate CVE-2016-8027
To remediate this issue:
- Users of ePO 5.1.3 must apply hotfix EPO513HF1167014.zip.
- Users of ePO 5.3.1 must apply hotfix EPO531HF1179709.zip.
- Users of ePO 5.3.2 must apply hotfix EPO532HF1167013.zip.
- Users of ePO 5.3.0 must first upgrade to ePO 5.3.1 or ePO 5.3.2 and then apply the applicable hotfix.
- Users of ePO 5.1.1 and ePO 5.1.2 must first upgrade to ePO 5.1.3, ePO 5.3.1, or ePO 5.3.2 and then apply the applicable hotfix