Web application abuses : McAfee Asset Manager Multiple Vulnerabilities

Búsqueda de Vulnerabilidad		Buscar 324607 Descripciones CVE y 146377 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.0.804428

Categoría: Web application abuses

Título: McAfee Asset Manager Multiple Vulnerabilities

Resumen: McAfee Asset Manager is prone to directory traversal and SQL injection vulnerabilities.

Descripción: Summary:
McAfee Asset Manager is prone to directory traversal and SQL injection vulnerabilities.

Vulnerability Insight:
The flaws are due to:

- The '/servlet/downloadReport' script not properly sanitizing user input,
specifically path traversal style attacks supplied via the 'reportFileName'
GET parameter.

- The /jsp/reports/ReportsAudit.jsp script not properly sanitizing
user-supplied input to the 'user' POST parameter.

Vulnerability Impact:
Successful exploitation will allow attackers to disclose potentially sensitive
information and inject or manipulate SQL queries in the back-end database,
allowing for the manipulation or disclosure of arbitrary data.

Affected Software/OS:
McAfee Asset Manager version 6.6

Solution:
No known solution was made available for at least one year since the disclosure of this vulnerability.
Likely none will be provided anymore.
General solution options are to upgrade to a newer release, disable respective features, remove the product or replace the product by another one.

CVSS Score:
6.5

CVSS Vector:
AV:N/AC:L/Au:S/C:P/I:P/A:P

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2014-2587
BugTraq ID: 66302
http://www.securityfocus.com/bid/66302
http://www.exploit-db.com/exploits/32368
http://seclists.org/fulldisclosure/2014/Mar/325
http://packetstormsecurity.com/files/125775/McAfee-Cloud-SSO-Asset-Manager-Issues.html
http://www.osvdb.org/104634
http://www.securitytracker.com/id/1029927
XForce ISS Database: mcafee-asset-reportsaudit-sql-injection(91929)
https://exchange.xforce.ibmcloud.com/vulnerabilities/91929
Common Vulnerability Exposure (CVE) ID: CVE-2014-2588
http://www.osvdb.org/104633
XForce ISS Database: mcafee-asset-dir-traversal(91930)
https://exchange.xforce.ibmcloud.com/vulnerabilities/91930

Copyright Copyright (C) 2014 Greenbone AG

Esta es sólo una de 146377 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.0.804428
Categoría:	Web application abuses
Título:	McAfee Asset Manager Multiple Vulnerabilities
Resumen:	McAfee Asset Manager is prone to directory traversal and SQL injection vulnerabilities.
Descripción:	Summary: McAfee Asset Manager is prone to directory traversal and SQL injection vulnerabilities. Vulnerability Insight: The flaws are due to: - The '/servlet/downloadReport' script not properly sanitizing user input, specifically path traversal style attacks supplied via the 'reportFileName' GET parameter. - The /jsp/reports/ReportsAudit.jsp script not properly sanitizing user-supplied input to the 'user' POST parameter. Vulnerability Impact: Successful exploitation will allow attackers to disclose potentially sensitive information and inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data. Affected Software/OS: McAfee Asset Manager version 6.6 Solution: No known solution was made available for at least one year since the disclosure of this vulnerability. Likely none will be provided anymore. General solution options are to upgrade to a newer release, disable respective features, remove the product or replace the product by another one. CVSS Score: 6.5 CVSS Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2014-2587 BugTraq ID: 66302 http://www.securityfocus.com/bid/66302 http://www.exploit-db.com/exploits/32368 http://seclists.org/fulldisclosure/2014/Mar/325 http://packetstormsecurity.com/files/125775/McAfee-Cloud-SSO-Asset-Manager-Issues.html http://www.osvdb.org/104634 http://www.securitytracker.com/id/1029927 XForce ISS Database: mcafee-asset-reportsaudit-sql-injection(91929) https://exchange.xforce.ibmcloud.com/vulnerabilities/91929 Common Vulnerability Exposure (CVE) ID: CVE-2014-2588 http://www.osvdb.org/104633 XForce ISS Database: mcafee-asset-dir-traversal(91930) https://exchange.xforce.ibmcloud.com/vulnerabilities/91930
Copyright	Copyright (C) 2014 Greenbone AG