CVE-2023-3946: 
McAfee ePolicy Orchestrator vulnerability analysis and mitigation

A reflected cross-site scripting (XSS) vulnerability (CVE-2023-3946) was identified in ePO prior to version 5.10 SP1 Update 1. The vulnerability was discovered and disclosed in July 2023, affecting McAfee ePolicy Orchestrator software. This security flaw allows remote unauthenticated attackers to potentially obtain access to an ePO administrator's session through social engineering methods (NVD).

The vulnerability is classified as a Cross-site Scripting (CWE-79) issue with a CVSS v3.1 base score of 6.1 (Medium) according to NVD, while Trellix assessed it with a score of 5.4 (Medium). The attack vector is network-based (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) but user interaction (UI:R). The scope is changed (S:C) with low confidentiality and integrity impact (C:L, I:L) and no availability impact (A:N) (NVD).

If successfully exploited, this vulnerability could lead to limited access to sensitive information and limited ability to alter some information in ePO. The attack requires convincing an authenticated ePO administrator to click on a carefully crafted link (NVD).

The vulnerability has been addressed in ePO version 5.10 SP1 Update 1. Organizations are advised to upgrade to this version or later to mitigate the risk (Trellix Advisory).