CVE-2017-4011 — Reflected XSS found in McAfee Network Data Loss Prevention (NDLP) 9.3.x
In this short post, I am going to write how I found a XSS vulnerability in McAfee NDLP product during a pentest. At the time of login with a new user, I noticed the application response contains the User-Agent value, which is passed in the request header, in the javascript context without any encoding. Below is an example screenshot.
I thought to myself what could happen if I pass an alert payload along with User-Agent value. When I appended “ ‘;alert(/XSS/);// “ as my POC payload to the User-Agent value, lo and behold, I get a pop-up! :)
As you can see below the payload reflects beautifully in the response.
I reported the issue to McAfee through my client’s vendor representative. I found McAfee was co-operative.
Timeline:
Feb 2017 — Reported the vulnerability.
Mar 2017 — Further communication.
May 2017 — Fixed and assigned CVE-2017–4011.
References:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-4011
https://kc.mcafee.com/corporate/index?page=content&id=SB10198
