Vigil@nce - McAfee ePO: information disclosure via console
September 2012 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker, who is authenticated on the McAfee ePO console, can
access to information of other users.
Impacted products: ePO
Severity: 2/4
Creation date: 24/08/2012
DESCRIPTION OF THE VULNERABILITY
The McAfee ePolicy Orchestrator console contains private
information: managed systems, activity, IP addresses, etc.
An authenticated user should only access to information of his
environment. However, by changing the ID parameter in the url, he
can access to information associated to the user owning this
identifier.
An attacker, who is authenticated on the McAfee ePO console, can
therefore access to information of other users.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/McAfee-ePO-information-disclosure-via-console-11885