CVE-2022-3339 An XSS vulnerability in ePO 5.10 before Update 14 allows an attacker to access the administrator's session of an authenticated ePO admin.

This issue has been resolved in ePO 5.10 Update 14 and later. An unauthenticated remote attacker can potentially inject arbitrary script code in a hosted view. This issue has been resolved in ePO 5.10 Update 14 and later. An unauthenticated remote attacker can inject arbitrary script tags in the “Team” tab of a project. The attacker would need to access the project via the “Team” tab to inject the code. This issue has been resolved in ePO 5.10 Update 14 and later. An unauthenticated remote attacker can inject arbitrary script tags in the “eRoles” tab of a project. The attacker would need to access the project via the “eRoles” tab to inject the code.

Impact Injection A reflected cross-site scripting (XSS) vulnerability in ePO prior to 5.10 Update 14 allows a remote unauthenticated attacker to potentially obtain access to an ePO administrator's session by convincing the authenticated ePO administrator to click on a carefully crafted link. This would lead to limited access to sensitive information and limited ability to alter some information in ePO.
A reflected cross-site scripting (XSS) vulnerability in ePO prior to 5.10 Update 14 allows a remote unauthenticated attacker to potentially obtain access to an ePO administrator's session by convincing the authenticated ePO administrator to click on a carefully crafted link. This would lead to limited access to sensitive

How do I know if my site is vulnerable?

To determine if your site is vulnerable, follow the steps below:
1. Open a web browser and navigate to https://www.epo.com/admin/privileges
2. In the "Create User" tab, click on the "Create new user" link
3. If the "Create New User" link does not work properly, you will see an error message stating that "An unauthenticated remote attacker can potentially inject arbitrary script code in a hosted view."

ePO 5.10 Update 14 and later resolves this vulnerability.

The vulnerability has been resolved in ePO 5.10 Update 14 and later. An unauthenticated remote attacker can no longer exploit this vulnerability on affected versions of ePO. The issue has been resolved in ePO 5.10 Update 14 and later. An unauthenticated remote attacker cannot exploit an XSS vulnerability in the Admin console or project views by hosting a specially crafted web page to perform arbitrary actions on an administrator's session.

How do I know if my system is affected?

System administrators should contact the ePO support team (support@epo.com) to determine if their system is affected by this issue.

Timeline

Published on: 10/18/2022 10:15:00 UTC
Last modified on: 10/20/2022 12:39:00 UTC

References

• https://kcm.trellix.com/corporate/index?page=content&id=SB10387
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3339