Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2018.0154
McAfee NSM fixes XSS vulnerability
12 July 2018
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: McAfee Network Security Manager
Operating System: Windows
Impact/Access: Cross-site Scripting -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2018-6681
Member content until: Saturday, August 11 2018
OVERVIEW
A vulnerability has been identified in McAfee Network Security Manager
prior to version 9.1.7.49. [1]
IMPACT
The vendor has provided the following information regarding the
vulnerability:
"CVE-2018-6681
Abuse of Functionality vulnerability in the web interface in McAfee Network
Security Management (NSM) 9.1.7.11 and earlier allows authenticated users to
allow arbitrary HTML code to be reflected in the response web page via the
appliance web interface.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-6681
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6681" [1]
MITIGATION
McAfee advises updating to NSM version 9.1.7.49 to address this
vulnerability. [1]
REFERENCES
[1] McAfee Security Bulletin - Network Security Manager software update
fixes arbitrary HTML code injection in the response web page issue
https://kc.mcafee.com/corporate/index?page=content&id=SB10244
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBW0bubWaOgq3Tt24GAQg+RA//fezJAF+MUZ1aD58gabty4kmhysszQsmK
mAB4RvuVJCaa/qpIlnYcxmHphaiY5R94mlnVlDWxSfKFIec+8frKVoV0/H85unw3
iRCSaUeQE99Zd8y6SNN2R6NF73FPDlukFcyV9Vdd3sIVzh46x3fGvUznnbweVZ0/
/WTr71GjOHvv0iBMXFpUp5ZoCDmRyPSt80rdHcdDXJAI0PtKZV0I2Wd/HeGKr3h4
bm5eg8IXk3T8kYZhy8kRYUj9TR4VgRgJabD0k1B1Domup6wgjHqROlnM0yjvc+uO
vxiCf0W5pqKaszIodUikxrzkgyWBB5z5mTSAsN/45rV4z6QA47Zg+RwLMVKB/Yhj
IeAyVhDZEJUtRNfm0Yqbj5utOZi2fH7MccXnqn4jcrB5yvWPx1ZaehxZcQdWmdcs
l+3P4pOwtO4VZkaT5Lajabm6Klx7px6cHv3E6cwBv7jCPEie+FYScOB93XrqN3LN
fPQ+RHXcdT7ymvZmQeIBJ6suxJxBWtqqiBaIiQDyA1AW4a8pMceotK03Uyqg8f3b
gGGFqRTrAi+NU9574L88tB9ICpgV5iV+/4yB68B9E+pYRhjMg+OmGsiMnd7e3kZm
afSW5jJeMd9V3nArWoADKgInZ+UgfXkolyMVNpYHh+gTh2Q4qSlzk+6lSQBbOQwP
3HnuyJcF64M=
=bhDs
-----END PGP SIGNATURE-----