Mcafee Epolicy Orchestrator (Epo)
Approved changes feed: RSS · Atom
cpe:2.3:a:mcafee,llc:mcafee_epolicy_orchestrator_(epo):*:*:*:*:*:*:*:*
part: a version: * update: *
| Vendor | Mcafee,Llc (a07eec98-d34c-5045-9a0e-859fd3b6002d) |
|---|---|
| Product | Mcafee Epolicy Orchestrator (Epo) (01d60ae6-4edc-59ba-b75a-d256976fceec) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from gcve-enriched-dumps CVE data |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
| No PURL mappings for this CPE yet. | ||
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2022-0862 |
vulnerable | 2026-06-03 14:45:57.288657 |
ePO password change vulnerability
LOW (3.1)
A lack of password change protection vulnerability in a depreciated API of McAfee Enterprise ePolicy Orchestrator (ePO) prior to 5.10 Update 13 allows a remote attacker to change the password of a compromised session without knowing the existing user's password. This functionality was removed from the User Interface in ePO 10 and the API has now been disabled. Other protection is in place to reduce the likelihood of this being successful through sending a link to a logged in user.
Published: 2022-03-23T14:25:12.000Z
Updated: 2024-08-02T23:40:04.495Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-0861 |
vulnerable | 2026-06-03 14:45:57.288010 |
ePO XML extended entity vulnerability
LOW (3.5)
A XML Extended entity vulnerability in McAfee Enterprise ePolicy Orchestrator (ePO) prior to 5.10 Update 13 allows a remote administrator attacker to upload a malicious XML file through the extension import functionality. The impact is limited to some access to confidential information and some ability to alter data.
Published: 2022-03-23T14:25:19.000Z
Updated: 2024-08-02T23:40:04.557Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-0859 |
vulnerable | 2026-06-03 14:45:57.280601 |
ePO database restoration vulnerability
MEDIUM (6.5)
McAfee Enterprise ePolicy Orchestrator (ePO) prior to 5.10 Update 13 allows a local attacker to point an ePO server to an arbitrary SQL server during the restoration of the ePO server. To achieve this the attacker would have to be logged onto the server hosting the ePO server (restricted to administrators) and to know the SQL server password.
Published: 2022-03-23T14:20:12.000Z
Updated: 2024-08-02T23:40:04.552Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-0858 |
vulnerable | 2026-06-03 14:45:57.279990 |
Cross-site scripting vulnerability in ePO
MEDIUM (4.3)
A cross-site scripting (XSS) vulnerability in McAfee Enterprise ePolicy Orchestrator (ePO) prior to 5.10 Update 13 allows a remote attacker to potentially obtain access to an ePO administrator's session by convincing the attacker to click on a carefully crafted link. This would lead to limited ability to alter some information in ePO due to the area of the User Interface the vulnerability is present in.
Published: 2022-03-23T14:20:19.000Z
Updated: 2025-04-23T18:44:46.821Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-0857 |
vulnerable | 2026-06-03 14:45:57.279224 |
ePO Reflected Cross-site scripting vulnerability
MEDIUM (5.4)
A reflected cross-site scripting (XSS) vulnerability in McAfee Enterprise ePolicy Orchestrator (ePO) prior to 5.10 Update 13 allows a remote attacker to potentially obtain access to an ePO administrator's session by convincing the attacker to click on a carefully crafted link. This would lead to limited access to sensitive information and limited ability to alter some information in ePO due to the area of the User Interface the vulnerability is present in.
Published: 2022-03-23T14:15:19.000Z
Updated: 2024-08-02T23:40:04.563Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-0842 |
vulnerable | 2026-06-03 14:45:57.234643 |
ePO blind SQL Injection vulnerability
MEDIUM (5.4)
A blind SQL injection vulnerability in McAfee Enterprise ePolicy Orchestrator (ePO) prior to 5.10 Update 13 allows a remote authenticated attacker to potentially obtain information from the ePO database. The data obtained is dependent on the privileges the attacker has and to obtain sensitive data the attacker would require administrator privileges.
Published: 2022-03-23T14:10:13.000Z
Updated: 2024-08-02T23:40:04.502Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-31835 |
vulnerable | 2026-06-03 14:44:33.596363 |
McAfee ePO Cross-Site Scripting vulnerability
MEDIUM (4.8)
Cross-Site Scripting vulnerability in McAfee ePolicy Orchestrator (ePO) prior to 5.10 Update 11 allows ePO administrators to inject arbitrary web script or HTML via a specific parameter where the administrator's entries were not correctly sanitized.
Published: 2021-10-22T11:05:11.000Z
Updated: 2024-08-03T23:10:30.688Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-31834 |
vulnerable | 2026-06-03 14:44:33.595686 |
McAfee ePO Cross-Site Scripting vulnerability
Stored Cross-Site Scripting vulnerability in McAfee ePolicy Orchestrator (ePO) prior to 5.10 Update 11 allows ePO administrators to inject arbitrary web script or HTML via multiple parameters where the administrator's entries were not correctly sanitized.
Published: 2021-10-22T11:05:18.000Z
Updated: 2024-08-03T23:10:30.570Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-23890 |
vulnerable | 2026-06-03 14:43:55.841765 |
McAfee ePO Information Leak vulnerability
MEDIUM (6.5)
Information leak vulnerability in the Agent Handler of McAfee ePolicy Orchestrator (ePO) prior to 5.10 Update 10 allows an unauthenticated user to download McAfee product packages (specifically McAfee Agent) available in ePO repository and install them on their own machines to have it managed and then in turn get policy details from the ePO server. This can only happen when the ePO Agent Handler is installed in a Demilitarized Zone (DMZ) to service machines not connected to the network through a VPN.
Published: 2021-03-26T09:35:15.000Z
Updated: 2024-08-03T19:14:09.188Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-23889 |
vulnerable | 2026-06-03 14:43:55.841204 |
McAfee ePO Cross-site Scripting vulnerability
LOW (3.5)
Cross-Site Scripting vulnerability in McAfee ePolicy Orchestrator (ePO) prior to 5.10 Update 10 allows ePO administrators to inject arbitrary web script or HTML via multiple parameters where the administrator's entries were not correctly sanitized.
Published: 2021-03-26T09:30:15.000Z
Updated: 2024-08-03T19:14:09.155Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-23888 |
vulnerable | 2026-06-03 14:43:55.840570 |
McAfee ePO unvalidated URL redirect vulnerability
MEDIUM (6.3)
Unvalidated client-side URL redirect vulnerability in McAfee ePolicy Orchestrator (ePO) prior to 5.10 Update 10 could cause an authenticated ePO user to load an untrusted site in an ePO iframe which could steal information from the authenticated user.
Published: 2021-03-26T09:30:21.000Z
Updated: 2024-08-03T19:14:09.497Z Reference links |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.