A vulnerability in ePO 5.1.3 has been discovered and resolved.
AFFECTED SOFTWARE: 220.127.116.11
The vulnerability is remediated in these versions:
• ePolicy Orchestrator 5.1.3 Hotfix 1110787.
• Fix will be included in 5.1.4 (when available).
• Issue never impacted ePO 5.3.0 or higher
• CVE-2017-3902 (CVSS: 4.0; Severity: Medium)
A cross-site scripting (XSS) vulnerability in the Web user interface (UI) in ePO 5.1.3, 5.1.2, 5.1.1, and 5.1.0 allows authenticated users to inject malicious Java scripts via bypassing input validation.
Intel Security recommends that all customers verify that they have applied the latest updates. Impacted users should install the relevant patches or hotfixes. For full instructions and information, see Knowledge Base article SB10184 – Intel Security – Security Bulletin: ePolicy Orchestrator update fixes cross-site scripting vulnerability (CVE-2017-3902) (https://kc.mcafee.com/corporate/index?page=content&id=SB10184)
For more information on the hotfix see the ePO 5.1.3 Hotfix 1110787 Release Notes:
PD26861 – https://kc.mcafee.com/corporate/index?page=content&id=PD26861