CVE-2023-5445: 
McAfee ePolicy Orchestrator vulnerability analysis and mitigation

An open redirect vulnerability (CVE-2023-5445) was discovered in ePolicy Orchestrator versions prior to 5.10.0 CP1 Update 2. The vulnerability was disclosed on November 17, 2023, affecting the dashboard area of the user interface. This security flaw allows a remote low-privileged user to modify URL parameters for redirecting requests to malicious sites (NVD).

The vulnerability is classified as CWE-601 (URL Redirection to Untrusted Site). It received a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The exploitation requires the attacker to change the HTTP payload post submission before it reaches the ePO server, and a user must be logged into ePO to trigger this vulnerability (NVD).

If successfully exploited, this vulnerability could allow attackers to redirect users to malicious websites, potentially leading to phishing attacks or the distribution of malware. The impact is considered moderate, affecting both confidentiality and integrity with low severity, while availability remains unaffected (NVD).

The vulnerability has been addressed in ePolicy Orchestrator version 5.10.0 CP1 Update 2. Users are advised to upgrade to this version or later to mitigate the risk (Trellix Advisory).