CVE-2021-31835 : Cross-Site Scripting vulnerability in McAfee ePolicy Orchestrator (ePO) prior to

Cross-Site Scripting vulnerability in McAfee ePolicy Orchestrator (ePO) prior to 5.10 Update 11 allows ePO administrators to inject arbitrary web script or HTML via a specific parameter where the administrator's entries were not correctly sanitized.

Published 2021-10-22 11:15:08

Updated 2023-11-15 18:53:44

Source Trellix

View at NVD, CVE.org

Vulnerability category: Cross site scripting (XSS)

Products affected by CVE-2021-31835

Mcafee » Epolicy Orchestrator
Versions before (<) 5.10.0
cpe:2.3:a:mcafee:epolicy_orchestrator:*:*:*:*:*:*:*:*
Matching versions
Mcafee » Epolicy Orchestrator » Version: 5.10.0 Update Update 1
cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_1:*:*:*:*:*:*
Matching versions
Mcafee » Epolicy Orchestrator » Version: 5.10.0 Update Update 2
cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_2:*:*:*:*:*:*
Matching versions
Mcafee » Epolicy Orchestrator » Version: 5.10.0 Update Update 3
cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_3:*:*:*:*:*:*
Matching versions
Mcafee » Epolicy Orchestrator » Version: 5.10.0
cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:*:*:*:*:*:*:*
Matching versions
Mcafee » Epolicy Orchestrator » Version: 5.10.0
cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:-:*:*:*:*:*:*
Matching versions
Mcafee » Epolicy Orchestrator » Version: 5.10.0 Update Update 4
cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_4:*:*:*:*:*:*
Matching versions
Mcafee » Epolicy Orchestrator » Version: 5.10.0 Update Update 5
cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_5:*:*:*:*:*:*
Matching versions
Mcafee » Epolicy Orchestrator » Version: 5.10.0 Update Update 6
cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_6:*:*:*:*:*:*
Matching versions
Mcafee » Epolicy Orchestrator » Version: 5.10.0 Update Update 7
cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_7:*:*:*:*:*:*
Matching versions
Mcafee » Epolicy Orchestrator » Version: 5.10.0 Update Update 8
cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_8:*:*:*:*:*:*
Matching versions
Mcafee » Epolicy Orchestrator » Version: 5.10.0 Update Update 9
cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_9:*:*:*:*:*:*
Matching versions
Mcafee » Epolicy Orchestrator » Version: 5.10.0 Update Update 10
cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_10:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2021-31835

EPSS FAQ

0.25%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 48 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2021-31835

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.3	MEDIUM	AV:N/AC:M/Au:N/C:N/I:P/A:N	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None
4.8	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N	1.7	2.7	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: High User Interaction: Required Scope: Changed Confidentiality: Low Integrity: Low Availability: None
4.8	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N	1.7	2.7	McAfee (DEFUNCT)
Attack Vector: Network Attack Complexity: Low Privileges Required: High User Interaction: Required Scope: Changed Confidentiality: Low Integrity: Low Availability: None
4.8	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N	1.7	2.7	Trellix
Attack Vector: Network Attack Complexity: Low Privileges Required: High User Interaction: Required Scope: Changed Confidentiality: Low Integrity: Low Availability: None

CWE ids for CVE-2021-31835

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Assigned by:
- nvd@nist.gov (Primary)
- psirt@mcafee.com (Primary)
- trellixpsirt@trellix.com (Secondary)

References for CVE-2021-31835

https://kc.mcafee.com/corporate/index?page=content&id=SB10366

Security Bulletin - ePolicy Orchestrator update addresses two product vulnerabilities (CVE-2021-31834 and CVE-2021-31835) and updates Java, OpenSSL, and Tomcat
Broken Link

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2021-31835

Products affected by CVE-2021-31835

Exploit prediction scoring system (EPSS) score for CVE-2021-31835

CVSS scores for CVE-2021-31835

CWE ids for CVE-2021-31835

References for CVE-2021-31835