CVE-2021-4088

SQL injection vulnerability in Data Loss Protection (DLP) ePO extension 11.8.x prior to 11.8.100, 11.7.x prior to 11.7.101, and 11.6.401 allows a remote authenticated attacker to inject unfiltered SQL into the DLP part of the ePO database. This could lead to remote code execution on the ePO server with privilege escalation.

Published: Jan 24, 2022
Updated: Apr 14, 2023
CVE: CVE-2021-4088
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.2
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: Medium
Score: 6.5
AV:N/AC:L/Au:S/C:P/I:P/A:P

CWEs:

CWE-89

OWASP TOP 10:

A1 - Injection

Affected Software
References

Software	From	Fixed in
mcafee / data_loss_prevention	11.7.0	11.7.101
mcafee / data_loss_prevention	11.8.0	11.8.100
mcafee / data_loss_prevention	11.6.401	11.6.401.x

https://kc.mcafee.com/corporate/index?page=content&id=SB10376

Vulnerability Database

289,599

CVE-2021-4088