McAfee Total Protection prior to 16.0.50 may allow an adversary (with full administrative access) to modify a McAfee specific Component Object Model (COM) in the Windows Registry. This can result in the loading of a malicious payload.
Source: MITRE
Max CVSS
6.7
EPSS Score
0.04%
Published
2023-03-21
Updated
2023-03-27
A reflected cross-site scripting (XSS) vulnerability in ePO prior to 5.10 SP1 Update 1allows a remote unauthenticated attacker to potentially obtain access to an ePO administrator's session by convincing the authenticated ePO administrator to click on a carefully crafted link. This would lead to limited access to sensitive information and limited ability to alter some information in ePO.
Source: Trellix
Max CVSS
6.1
EPSS Score
0.06%
Published
2023-07-26
Updated
2023-08-03
A command injection vulnerability in Trellix Intelligent Sandbox CLI for version 5.2 and earlier, allows a local user to inject and execute arbitrary operating system commands using specially crafted strings. This vulnerability is due to insufficient validation of arguments that are passed to specific CLI command. The vulnerability allows the attack
Source: Trellix
Max CVSS
6.7
EPSS Score
0.04%
Published
2023-03-13
Updated
2023-03-17
A reflected cross-site scripting (XSS) vulnerability in ePO prior to 5.10 Update 14 allows a remote unauthenticated attacker to potentially obtain access to an ePO administrator's session by convincing the authenticated ePO administrator to click on a carefully crafted link. This would lead to limited access to sensitive information and limited ability to alter some information in ePO.
Source: Trellix
Max CVSS
6.1
EPSS Score
0.14%
Published
2022-10-18
Updated
2022-10-20
Improper Restriction of XML External Entity Reference vulnerability in DLP Endpoint for Windows prior to 11.9.100 allows a remote attacker to cause the DLP Agent to access a local service that the attacker wouldn't usually have access to via a carefully constructed XML file, which the DLP Agent doesn't parse correctly.
Source: Trellix
Max CVSS
6.5
EPSS Score
0.11%
Published
2022-08-30
Updated
2023-11-15
Privilege escalation vulnerability in DXL Broker for Windows prior to 6.0.0.280 allows local users to gain elevated privileges by exploiting weak directory controls in the logs directory. This can lead to a denial-of-service attack on the DXL Broker.
Source: Trellix
Max CVSS
6.5
EPSS Score
0.04%
Published
2022-11-07
Updated
2022-11-08
Insecure storage of sensitive information vulnerability in MA for Linux, macOS, and Windows prior to 5.7.6 allows a local user to gain access to sensitive information through storage in ma.db. The sensitive information has been moved to encrypted database files.
Source: McAfee (DEFUNCT)
Max CVSS
6.1
EPSS Score
0.04%
Published
2022-04-14
Updated
2022-04-23
A URL redirection vulnerability in Skyhigh SWG in main releases 10.x prior to 10.2.9, 9.x prior to 9.2.20, 8.x prior to 8.2.27, and 7.x prior to 7.8.2.31, and controlled release 11.x prior to 11.1.3 allows a remote attacker to redirect a user to a malicious website controlled by the attacker. This is possible because SWG incorrectly creates a HTTP redirect response when a user clicks a carefully constructed URL. Following the redirect response, the new request is still filtered by the SWG policy.
Source: Trellix
Max CVSS
6.1
EPSS Score
0.12%
Published
2022-04-20
Updated
2023-11-16
McAfee Enterprise ePolicy Orchestrator (ePO) prior to 5.10 Update 13 allows a local attacker to point an ePO server to an arbitrary SQL server during the restoration of the ePO server. To achieve this the attacker would have to be logged onto the server hosting the ePO server (restricted to administrators) and to know the SQL server password.
Source: Trellix
Max CVSS
6.7
EPSS Score
0.04%
Published
2022-03-23
Updated
2023-11-15
A reflected cross-site scripting (XSS) vulnerability in McAfee Enterprise ePolicy Orchestrator (ePO) prior to 5.10 Update 13 allows a remote attacker to potentially obtain access to an ePO administrator's session by convincing the attacker to click on a carefully crafted link. This would lead to limited access to sensitive information and limited ability to alter some information in ePO due to the area of the User Interface the vulnerability is present in.
Source: Trellix
Max CVSS
6.1
EPSS Score
0.08%
Published
2022-03-23
Updated
2023-11-15
A Reflected Cross-Site Scripting vulnerability in McAfee Policy Auditor prior to 6.5.2 allows a remote unauthenticated attacker to inject arbitrary web script or HTML via the UID request parameter. The malicious script is reflected unmodified into the Policy Auditor web-based interface which could lead to the extract of end user session token or login credentials. These may be used to access additional security-critical applications or conduct arbitrary cross-domain requests.
Source: Trellix
Max CVSS
6.1
EPSS Score
0.08%
Published
2021-11-23
Updated
2023-11-21
A Reflected Cross-Site Scripting vulnerability in McAfee Policy Auditor prior to 6.5.2 allows a remote unauthenticated attacker to inject arbitrary web script or HTML via the profileNodeID request parameters. The malicious script is reflected unmodified into the Policy Auditor web-based interface which could lead to the extraction of end user session token or login credentials. These may be used to access additional security-critical applications or conduct arbitrary cross-domain requests.
Source: McAfee (DEFUNCT)
Max CVSS
6.1
EPSS Score
0.14%
Published
2021-11-23
Updated
2021-11-29
A denial-of-service vulnerability in Database Security (DBS) prior to 4.8.4 allows a remote authenticated administrator to trigger a denial-of-service attack against the DBS server. The configuration of Archiving through the User interface incorrectly allowed the creation of directories and files in Windows system directories and other locations where sensitive data could be overwritten. The former could lead to a DoS, whilst the latter could lead to data destruction on the DBS server.
Source: McAfee (DEFUNCT)
Max CVSS
6.1
EPSS Score
0.43%
Published
2021-12-08
Updated
2022-04-06
Incorrect access to deleted scripts vulnerability in McAfee Database Security (DBSec) prior to 4.8.2 allows a remote authenticated attacker to gain access to signed SQL scripts which have been marked as deleted or expired within the administrative console. This access was only available through the REST API.
Source: Trellix
Max CVSS
6.5
EPSS Score
0.06%
Published
2021-06-03
Updated
2023-11-15
Information leak vulnerability in the Agent Handler of McAfee ePolicy Orchestrator (ePO) prior to 5.10 Update 10 allows an unauthenticated user to download McAfee product packages (specifically McAfee Agent) available in ePO repository and install them on their own machines to have it managed and then in turn get policy details from the ePO server. This can only happen when the ePO Agent Handler is installed in a Demilitarized Zone (DMZ) to service machines not connected to the network through a VPN.
Source: McAfee (DEFUNCT)
Max CVSS
6.5
EPSS Score
0.09%
Published
2021-03-26
Updated
2022-05-27
Unvalidated client-side URL redirect vulnerability in McAfee ePolicy Orchestrator (ePO) prior to 5.10 Update 10 could cause an authenticated ePO user to load an untrusted site in an ePO iframe which could steal information from the authenticated user.
Source: McAfee (DEFUNCT)
Max CVSS
6.3
EPSS Score
0.07%
Published
2021-03-26
Updated
2022-05-27
Improper Access Control in attribute in McAfee Endpoint Security (ENS) for Windows prior to 10.7.0 February 2021 Update allows authenticated local administrator user to perform an uninstallation of the anti-malware engine via the running of a specific command with the correct parameters.
Source: Trellix
Max CVSS
6.7
EPSS Score
0.04%
Published
2021-02-10
Updated
2023-11-16
Use of a Broken or Risky Cryptographic Algorithm vulnerability in McAfee Database Security Server and Sensor prior to 4.8.0 in the form of a SHA1 signed certificate that would allow an attacker on the same local network to potentially intercept communication between the Server and Sensors.
Source: Trellix
Max CVSS
6.3
EPSS Score
0.07%
Published
2020-12-10
Updated
2023-11-16
Incorrect Permission Assignment for Critical Resource vulnerability in McAfee VirusScan Enterprise (VSE) prior to 8.8 Patch 16 allows local administrators to bypass local security protection through VSE not correctly integrating with Windows Defender Application Control via careful manipulation of the Code Integrity checks.
Source: McAfee (DEFUNCT)
Max CVSS
6.7
EPSS Score
0.04%
Published
2020-12-09
Updated
2020-12-10
Cross Site Request Forgery vulnerability in McAfee Network Security Management (NSM) prior to 10.1.7.35 and NSM 9.x prior to 9.2.9.55 may allow an attacker to change the configuration of the Network Security Manager via a carefully crafted HTTP request.
Source: Trellix
Max CVSS
6.6
EPSS Score
0.23%
Published
2021-01-05
Updated
2023-11-16
Improperly implemented security check in McAfee MVISION Endpoint Detection and Response Client (MVEDR) prior to 3.2.0 may allow local administrators to execute malicious code via stopping a core Windows service leaving McAfee core trust component in an inconsistent state resulting in MVEDR failing open rather than closed
Source: McAfee (DEFUNCT)
Max CVSS
6.7
EPSS Score
0.04%
Published
2020-10-15
Updated
2022-06-02
Improperly implemented security check in McAfee Active Response (MAR) prior to 2.4.4 may allow local administrators to execute malicious code via stopping a core Windows service leaving McAfee core trust component in an inconsistent state resulting in MAR failing open rather than closed
Source: McAfee (DEFUNCT)
Max CVSS
6.7
EPSS Score
0.04%
Published
2020-10-15
Updated
2020-11-03
Improper Access Control vulnerability in McAfee MVISION Endpoint prior to 20.9 Update allows local users to bypass security mechanisms and deny access to the SYSTEM folder via incorrectly applied permissions.
Source: McAfee (DEFUNCT)
Max CVSS
6.1
EPSS Score
0.04%
Published
2020-09-09
Updated
2020-09-14
Authentication Protection Bypass vulnerability in McAfee Endpoint Security (ENS) for Windows prior to 10.7.0 September 2020 Update allows physical local users to bypass the Windows lock screen via triggering certain detection events while the computer screen is locked and the McTray.exe is running with elevated privileges. This issue is timing dependent and requires physical access to the machine.
Source: McAfee (DEFUNCT)
Max CVSS
6.9
EPSS Score
0.06%
Published
2020-09-09
Updated
2022-01-01
DLL Injection Vulnerability in McAfee Agent (MA) for Windows prior to 5.6.6 allows local users to execute arbitrary code via careful placement of a malicious DLL.
Source: McAfee (DEFUNCT)
Max CVSS
6.7
EPSS Score
0.04%
Published
2020-09-10
Updated
2022-06-02
99 vulnerabilities found
1 2 3 4
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!