CVE-2020-7318— ePolicy Orchistrator (ePO) - Cross-Site Scripting vulnerability
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2020-7318
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
ePolicy Orchistrator (ePO) - Cross-Site Scripting vulnerability
Source: NVD (National Vulnerability Database)
Vulnerability Description
Cross-Site Scripting vulnerability in McAfee ePolicy Orchestrator (ePO) prior to 5.10.9 Update 9 allows administrators to inject arbitrary web script or HTML via multiple parameters where the administrator's entries were not correctly sanitized.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Source: NVD (National Vulnerability Database)
Vulnerability Title
McAfee ePolicy Orchistrator(ePO) 跨站脚本漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
McAfee ePolicy Orchistrator(ePO)是美国迈克菲(McAfee)公司的一套可扩展的安全管理软件。该软件可对终端、网络、内容安全和合规解决方案实现集中的简化管理。 McAfee ePolicy Orchistrator(ePO) 5.10.9 Update 9 之前版本存在跨站脚本漏洞,该漏洞源于允许管理员通过“syncPointList”的参数值注入任意的web脚本或HTML,而这些参数值没有被正确地清理。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| McAfee | ePolicy Orchistrator (ePO) | unspecified ~ 5.10.9 update 9 | - |
II. Public POCs for CVE-2020-7318
| # | POC Description | Source Link | Shenlong Link |
|---|---|---|---|
| 1 | McAfee ePolicy Orchestrator before 5.10.9 Update 9 is vulnerable to a cross-site scripting vulnerability that allows administrators to inject arbitrary web script or HTML via multiple parameters where the administrator's entries were not correctly sanitized. reference: - https://swarm.ptsecurity.com/vulnerabilities-in-mcafee-epolicy-orchestrator/ - https://kc.mcafee.com/corporate/index?page=content&id=SB10332 - https://nvd.nist.gov/vuln/detail/CVE-2020-7318 | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2020/CVE-2020-7318.yaml | POC Details |
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2020-7318
请登录查看更多情报信息。
- https://kc.mcafee.com/corporate/index?page=content&id=SB10332x_refsource_MISC
- https://nvd.nist.gov/vuln/detail/CVE-2020-7318
IV. Related Vulnerabilities
Same vendor: McAfee
- CVE-2022-0280
McAfee Total Protection (MTP) - File Deletion vulnerability - CVE-2022-0815
McAfee WebAdvisor - Extension Fingerprinting vulnerability - CVE-2021-31848
Data Loss Prevention (DLP) ePO extension - Cross site script - CVE-2021-31849
Data Loss Prevention (DLP) ePO extension - SQL injection - CVE-2021-23877
McAfee Total Protection (MTP) - Privilege Escalation vulnera
Same weakness: CWE-79
- CVE-2026-8262
Devs Palace ERP Online chart-save cross site scripting - CVE-2026-8256
Devs Palace ERP Online mr-save cross site scripting - CVE-2026-8255
Devs Palace ERP Online add_new_customer cross site scripting - CVE-2026-8254
Devs Palace ERP Online sales_save cross site scripting - CVE-2026-8253
Devs Palace ERP Online purchase_save cross site scripting
V. Comments for CVE-2020-7318
No comments yet