Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2021-31852

A Reflected Cross-Site Scripting vulnerability in McAfee Policy Auditor prior to 6.5.2 allows a remote unauthenticated attacker to inject arbitrary web script or HTML via the UID request parameter. The malicious script is reflected unmodified into the Policy Auditor web-based interface which could lead to the extract of end user session token or login credentials. These may be used to access additional security-critical applications or conduct arbitrary cross-domain requests.

Published

2021-11-23T20:15:10.727

Last Modified

2024-11-21T06:06:21.447

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 6.1 (MEDIUM)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:N/I:P/A:N

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality Impact: NONE
Integrity Impact: PARTIAL
Availability Impact: NONE

Exploitability Score

8.6

Impact Score

2.9

Weaknesses

Type: Secondary
CWE-79
Type: Primary
CWE-79

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	mcafee	policy_auditor	< 6.5.2	Yes

References

https://kc.mcafee.com/corporate/index?page=content&id=SB10372 Broken Link, Vendor Advisory ([email protected])
https://kc.mcafee.com/corporate/index?page=content&id=SB10372 Broken Link, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)