{"api_version":"1","generated_at":"2026-04-22T21:02:19+00:00","cve":"CVE-2020-7309","urls":{"html":"https://cve.report/CVE-2020-7309","api":"https://cve.report/api/cve/CVE-2020-7309.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2020-7309","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2020-7309"},"summary":{"title":"CVE-2020-7309","description":"Cross Site Scripting vulnerability in ePO extension in McAfee Application Control (MAC) prior to 8.3.1 allows administrators to inject arbitrary web script or HTML via specially crafted input in the policy discovery section.","state":"PUBLIC","assigner":"psirt@mcafee.com","published_at":"2020-08-26 06:15:00","updated_at":"2023-11-07 03:25:00"},"problem_types":["CWE-79"],"metrics":[],"references":[{"url":"https://kc.mcafee.com/corporate/index?page=content&id=SB10324","name":"https://kc.mcafee.com/corporate/index?page=content&id=SB10324","refsource":"CONFIRM","tags":["Patch","Vendor Advisory"],"title":"McAfee Security Bulletin - Application and Change Control update fixes Cross Site Scripting vulnerability (CVE-2020-7309)","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2020-7309","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-7309","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"LEGACY","value":"McAfee credits Rares GOSMAN for responsibly reporting this flaw.","lang":""}],"nvd_cpes":[{"cve_year":"2020","cve_id":"7309","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mcafee","cpe5":"application_and_change_control","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"7309","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mcafee","cpe5":"application_and_change_control","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"psirt@mcafee.com","DATE_PUBLIC":"2020-08-25T00:00:00.000Z","ID":"CVE-2020-7309","STATE":"PUBLIC","TITLE":"Cross Site Scripting vulnerability in ePO extension of MACC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"McAfee Application and Change Control ","version":{"version_data":[{"version_affected":"<","version_name":"8.3.1","version_value":"8.3.1"}]}}]},"vendor_name":"McAfee, LLC"}]}},"credit":[{"lang":"eng","value":"McAfee credits Rares GOSMAN for responsibly reporting this flaw."}],"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Cross Site Scripting vulnerability in ePO extension in McAfee Application Control (MAC) prior to 8.3.1 allows administrators to inject arbitrary web script or HTML via specially crafted input in the policy discovery section."}]},"generator":{"engine":"Vulnogram 0.0.9"},"impact":{"cvss":{"attackComplexity":"HIGH","attackVector":"LOCAL","availabilityImpact":"LOW","baseScore":3.9,"baseSeverity":"LOW","confidentialityImpact":"LOW","integrityImpact":"LOW","privilegesRequired":"HIGH","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L","version":"3.1"}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-79 Cross-site Scripting (XSS)"}]}]},"references":{"reference_data":[{"name":"https://kc.mcafee.com/corporate/index?page=content&id=SB10324","refsource":"CONFIRM","url":"https://kc.mcafee.com/corporate/index?page=content&id=SB10324"}]},"source":{"discovery":"EXTERNAL"}},"nvd":{"publishedDate":"2020-08-26 06:15:00","lastModifiedDate":"2023-11-07 03:25:00","problem_types":["CWE-79"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE","baseScore":4.8,"baseSeverity":"MEDIUM"},"exploitabilityScore":1.7,"impactScore":2.7},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:S/C:N/I:P/A:N","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"SINGLE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":3.5},"severity":"LOW","exploitabilityScore":6.8,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:mcafee:application_and_change_control:*:*:*:*:*:*:*:*","versionEndExcluding":"8.3.1","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2020","CveId":"7309","Ordinal":"167588","Title":"CVE-2020-7309","CVE":"CVE-2020-7309","Year":"2020"},"notes":[{"CveYear":"2020","CveId":"7309","Ordinal":"1","NoteData":"Cross Site Scripting vulnerability in ePO extension in McAfee Application Control (MAC) prior to 8.3.1 allows administrators to inject arbitrary web script or HTML via specially crafted input in the policy discovery section.","Type":"Description","Title":null},{"CveYear":"2020","CveId":"7309","Ordinal":"2","NoteData":"2020-08-26","Type":"Other","Title":"Published"},{"CveYear":"2020","CveId":"7309","Ordinal":"3","NoteData":"2020-08-26","Type":"Other","Title":"Modified"}]}}}