Filtered by vendor Mcafee
Subscribe
Total
603 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-24578 | 1 Mcafee | 1 Total Protection | 2025-02-27 | N/A | 5.5 MEDIUM |
| McAfee Total Protection prior to 16.0.49 allows attackers to elevate user privileges due to DLL sideloading. This could enable a user with lower privileges to execute unauthorized tasks. | |||||
| CVE-2021-23874 | 1 Mcafee | 1 Total Protection | 2025-02-14 | 4.6 MEDIUM | 8.2 HIGH |
| Arbitrary Process Execution vulnerability in McAfee Total Protection (MTP) prior to 16.0.30 allows a local user to gain elevated privileges and execute arbitrary code bypassing MTP self-defense. | |||||
| CVE-2019-9514 | 13 Apache, Apple, Canonical and 10 more | 30 Traffic Server, Mac Os X, Swiftnio and 27 more | 2025-01-14 | 7.8 HIGH | 7.5 HIGH |
| Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both. | |||||
| CVE-2019-9513 | 12 Apache, Apple, Canonical and 9 more | 22 Traffic Server, Mac Os X, Swiftnio and 19 more | 2025-01-14 | 7.8 HIGH | 7.5 HIGH |
| Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU. | |||||
| CVE-2019-9518 | 11 Apache, Apple, Canonical and 8 more | 20 Traffic Server, Mac Os X, Swiftnio and 17 more | 2025-01-14 | 7.8 HIGH | 7.5 HIGH |
| Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU. | |||||
| CVE-2019-9511 | 12 Apache, Apple, Canonical and 9 more | 22 Traffic Server, Mac Os X, Swiftnio and 19 more | 2025-01-14 | 7.8 HIGH | 7.5 HIGH |
| Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both. | |||||
| CVE-2019-9515 | 12 Apache, Apple, Canonical and 9 more | 24 Traffic Server, Mac Os X, Swiftnio and 21 more | 2025-01-14 | 7.8 HIGH | 7.5 HIGH |
| Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both. | |||||
| CVE-2019-9517 | 12 Apache, Apple, Canonical and 9 more | 25 Http Server, Traffic Server, Mac Os X and 22 more | 2025-01-14 | 7.8 HIGH | 7.5 HIGH |
| Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both. | |||||
| CVE-2019-9516 | 12 Apache, Apple, Canonical and 9 more | 21 Traffic Server, Mac Os X, Swiftnio and 18 more | 2025-01-14 | 6.8 MEDIUM | 6.5 MEDIUM |
| Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory. | |||||
| CVE-2023-5445 | 1 Mcafee | 1 Epolicy Orchestrator | 2024-11-21 | N/A | 5.4 MEDIUM |
| An open redirect vulnerability in ePolicy Orchestrator prior to 5.10.0 CP1 Update 2, allows a remote low privileged user to modify the URL parameter for the purpose of redirecting URL request(s) to a malicious site. This impacts the dashboard area of the user interface. A user would need to be logged into ePO to trigger this vulnerability. To exploit this the attacker must change the HTTP payload post submission, prior to it reaching the ePO server. | |||||
| CVE-2023-5444 | 1 Mcafee | 1 Epolicy Orchestrator | 2024-11-21 | N/A | 8.0 HIGH |
| A Cross Site Request Forgery vulnerability in ePolicy Orchestrator prior to 5.10.0 CP1 Update 2 allows a remote low privilege user to successfully add a new user with administrator privileges to the ePO server. This impacts the dashboard area of the user interface. To exploit this the attacker must change the HTTP payload post submission, prior to it reaching the ePO server. | |||||
| CVE-2023-40352 | 1 Mcafee | 1 Safe Connect | 2024-11-21 | N/A | 7.2 HIGH |
| McAfee Safe Connect before 2.16.1.126 may allow an adversary with system privileges to achieve privilege escalation by loading arbitrary DLLs. | |||||
| CVE-2023-3946 | 1 Mcafee | 1 Epolicy Orchestrator | 2024-11-21 | N/A | 5.4 MEDIUM |
| A reflected cross-site scripting (XSS) vulnerability in ePO prior to 5.10 SP1 Update 1allows a remote unauthenticated attacker to potentially obtain access to an ePO administrator's session by convincing the authenticated ePO administrator to click on a carefully crafted link. This would lead to limited access to sensitive information and limited ability to alter some information in ePO. | |||||
| CVE-2023-0978 | 2 Mcafee, Trellix | 2 Advanced Threat Defense, Intelligent Sandbox | 2024-11-21 | N/A | 6.4 MEDIUM |
| A command injection vulnerability in Trellix Intelligent Sandbox CLI for version 5.2 and earlier, allows a local user to inject and execute arbitrary operating system commands using specially crafted strings. This vulnerability is due to insufficient validation of arguments that are passed to specific CLI command. The vulnerability allows the attack | |||||
| CVE-2023-0221 | 1 Mcafee | 1 Application And Change Control | 2024-11-21 | N/A | 4.4 MEDIUM |
| Product security bypass vulnerability in ACC prior to version 8.3.4 allows a locally logged-in attacker with administrator privileges to bypass the execution controls provided by ACC using the utilman program. | |||||
| CVE-2022-3339 | 1 Mcafee | 1 Epolicy Orchestrator | 2024-11-21 | N/A | 5.4 MEDIUM |
| A reflected cross-site scripting (XSS) vulnerability in ePO prior to 5.10 Update 14 allows a remote unauthenticated attacker to potentially obtain access to an ePO administrator's session by convincing the authenticated ePO administrator to click on a carefully crafted link. This would lead to limited access to sensitive information and limited ability to alter some information in ePO. | |||||
| CVE-2022-3338 | 1 Mcafee | 1 Epolicy Orchestrator | 2024-11-21 | N/A | 5.4 MEDIUM |
| An External XML entity (XXE) vulnerability in ePO prior to 5.10 Update 14 can lead to an unauthenticated remote attacker to potentially trigger a Server Side Request Forgery attack. This can be exploited by mimicking the Agent Handler call to ePO and passing the carefully constructed XML file through the API. | |||||
| CVE-2022-37025 | 1 Mcafee | 1 Security Scan Plus | 2024-11-21 | N/A | 7.8 HIGH |
| An improper privilege management vulnerability in McAfee Security Scan Plus (MSS+) before 4.1.262.1 could allow a local user to modify a configuration file and perform a LOLBin (Living off the land) attack. This could result in the user gaining elevated permissions and being able to execute arbitrary code due to lack of an integrity check of the configuration file. | |||||
| CVE-2022-2330 | 2 Mcafee, Microsoft | 2 Data Loss Prevention Endpoint, Windows | 2024-11-21 | N/A | 6.5 MEDIUM |
| Improper Restriction of XML External Entity Reference vulnerability in DLP Endpoint for Windows prior to 11.9.100 allows a remote attacker to cause the DLP Agent to access a local service that the attacker wouldn't usually have access to via a carefully constructed XML file, which the DLP Agent doesn't parse correctly. | |||||
| CVE-2022-2313 | 1 Mcafee | 1 Agent | 2024-11-21 | N/A | 8.2 HIGH |
| A DLL hijacking vulnerability in the MA Smart Installer for Windows prior to 5.7.7, which allows local users to execute arbitrary code and obtain higher privileges via careful placement of a malicious DLL into the folder from where the Smart installer is being executed. | |||||