CVE-2022-3339: 
McAfee ePolicy Orchestrator vulnerability analysis and mitigation

A reflected cross-site scripting (XSS) vulnerability was identified in McAfee ePolicy Orchestrator (ePO) prior to version 5.10 Update 14, tracked as CVE-2022-3339. The vulnerability was discovered and reported by Trellix on September 27, 2022. This security flaw affects McAfee ePO installations across all versions up to but not including version 5.10 Update 14 (NVD, CVE Mitre).

The vulnerability is classified as a reflected cross-site scripting (XSS) issue, categorized under CWE-79 (Improper Neutralization of Input During Web Page Generation). The severity of this vulnerability has been assessed with a CVSS v3.1 Base Score of 6.1 (MEDIUM) by NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. Trellix has assigned a slightly lower CVSS score of 5.4 (MEDIUM) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N (NVD).

If successfully exploited, this vulnerability could allow an attacker to obtain access to an ePO administrator's session, leading to limited access to sensitive information and limited ability to alter some information in ePO. The impact is considered moderate as it requires user interaction and results in limited information disclosure and modification capabilities (CVE Mitre).

The primary mitigation for this vulnerability is to upgrade to ePO version 5.10 Update 14 or later. All versions prior to this update are considered vulnerable and should be updated to address this security issue (NVD).