CVE-2020-7309 - Vulnerability Details - OpenCVE

Cross Site Scripting vulnerability in ePO extension in McAfee Application Control (MAC) prior to 8.3.1 allows administrators to inject arbitrary web script or HTML via specially crafted input in the policy discovery section.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00179.

Key SSVC decision points have not yet been added.

Vendors	Products
Mcafee	Application And Change Control

Configuration 1 [-]

cpe:2.3:a:mcafee:application_and_change_control:*:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2020-28436	Cross Site Scripting vulnerability in ePO extension in McAfee Application Control (MAC) prior to 8.3.1 allows administrators to inject arbitrary web script or HTML via specially crafted input in the policy discovery section.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://kc.mcafee.com/corporate/index?page=content&id=SB10324

History

No history.

MITRE

Status: PUBLISHED

Assigner: trellix

Published: 2020-08-26T06:00:19.835635Z

Updated: 2024-09-16T17:03:22.066Z

Reserved: 2020-01-21T00:00:00

Link: CVE-2020-7309

Vulnrichment

No data.

NVD

Status : Modified

Published: 2020-08-26T06:15:12.403

Modified: 2024-11-21T05:37:02.263

Link: CVE-2020-7309

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "McAfee Application and Change Control", "vendor": "McAfee, LLC", "versions": [{"lessThan": "8.3.1", "status": "affected", "version": "8.3.1", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "McAfee credits Rares GOSMAN for responsibly reporting this flaw."}], "datePublic": "2020-08-25T00:00:00", "descriptions": [{"lang": "en", "value": "Cross Site Scripting vulnerability in ePO extension in McAfee Application Control (MAC) prior to 8.3.1 allows administrators to inject arbitrary web script or HTML via specially crafted input in the policy discovery section."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 3.9, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Cross-site Scripting (XSS)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-08-26T06:00:19", "orgId": "01626437-bf8f-4d1c-912a-893b5eb04808", "shortName": "trellix"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://kc.mcafee.com/corporate/index?page=content&id=SB10324"}], "source": {"discovery": "EXTERNAL"}, "title": "Cross Site Scripting vulnerability in ePO extension of MACC", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@mcafee.com", "DATE_PUBLIC": "2020-08-25T00:00:00.000Z", "ID": "CVE-2020-7309", "STATE": "PUBLIC", "TITLE": "Cross Site Scripting vulnerability in ePO extension of MACC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "McAfee Application and Change Control", "version": {"version_data": [{"version_affected": "<", "version_name": "8.3.1", "version_value": "8.3.1"}]}}]}, "vendor_name": "McAfee, LLC"}]}}, "credit": [{"lang": "eng", "value": "McAfee credits Rares GOSMAN for responsibly reporting this flaw."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Cross Site Scripting vulnerability in ePO extension in McAfee Application Control (MAC) prior to 8.3.1 allows administrators to inject arbitrary web script or HTML via specially crafted input in the policy discovery section."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 3.9, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79 Cross-site Scripting (XSS)"}]}]}, "references": {"reference_data": [{"name": "https://kc.mcafee.com/corporate/index?page=content&id=SB10324", "refsource": "CONFIRM", "url": "https://kc.mcafee.com/corporate/index?page=content&id=SB10324"}]}, "source": {"discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T09:25:49.027Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://kc.mcafee.com/corporate/index?page=content&id=SB10324"}]}]}, "cveMetadata": {"assignerOrgId": "01626437-bf8f-4d1c-912a-893b5eb04808", "assignerShortName": "trellix", "cveId": "CVE-2020-7309", "datePublished": "2020-08-26T06:00:19.835635Z", "dateReserved": "2020-01-21T00:00:00", "dateUpdated": "2024-09-16T17:03:22.066Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mcafee:application_and_change_control:*:*:*:*:*:*:*:*", "matchCriteriaId": "5A29C28E-F8BE-4BE9-BDF9-CA9400A54C90", "versionEndExcluding": "8.3.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Cross Site Scripting vulnerability in ePO extension in McAfee Application Control (MAC) prior to 8.3.1 allows administrators to inject arbitrary web script or HTML via specially crafted input in the policy discovery section."}, {"lang": "es", "value": "Una vulnerabilidad de tipo Cross Site Scripting en la extensi\u00f3n ePO en McAfee Application Control (MAC) versiones anteriores a 8.3.1, permite a administradores inyectar un script web o HTML arbitrario por medio de una entrada especialmente dise\u00f1ada en la secci\u00f3n policy discovery"}], "id": "CVE-2020-7309", "lastModified": "2024-11-21T05:37:02.263", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 3.9, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 0.5, "impactScore": 3.4, "source": "trellixpsirt@trellix.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-08-26T06:15:12.403", "references": [{"source": "trellixpsirt@trellix.com", "url": "https://kc.mcafee.com/corporate/index?page=content&id=SB10324"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://kc.mcafee.com/corporate/index?page=content&id=SB10324"}], "sourceIdentifier": "trellixpsirt@trellix.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "trellixpsirt@trellix.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}