以下是关键信息的简洁Markdown整理: --- McAfee ePolicy Orchestrator XML External Entity Expansion in Dashboard Details Product: McAfee ePolicy Orchestrator Affected Versions: 4.6.7 and below Fixed Versions: 4.6.7 + hotfix 940148 Vulnerability Type: XML External Entity Expansion Security Risk: High Vendor URL: http://www.mcafee.com/uk/products/epolicy-orchestrator.aspx Vendor Status: Hotfix released Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-001 Advisory Status: Public CVE: CVE-2014-2205 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2205 Introduction McAfee ePO allows centralized management of other systems, including deploying new software and collecting system information. Users with authority can create and view dashboards. More Details Users can exploit an XML External Entity vulnerability to read local files on the ePO server, including sensitive data like database configurations. The vulnerability allows for defining XML dashboards with crafted XML data that resolves external entities, leading to file content extraction. Example Attack Workaround No specific workaround is available. Fix McAfee released hotfix for version 4.6.7. Security Risk Users need valid login credentials to exploit the vulnerability, but it still poses a high risk due to potential data exposed, such as ePO's database credentials. Sensitive Data Path Example Timeline 2013-11-20: Vulnerability identified 2014-02-14: Vendor replied to customer 2014-02-24: Hotfix released for version 4.6.7 2014-02-25: Advisory released 2014-02-27: CVE number added ---