[原文]Multiple cross-site scripting (XSS) vulnerabilities in McAfee IntruShield Security Management System allow remote authenticated users to inject arbitrary web script or HTML via the (1) thirdMenuName or (2) resourceName parameter to SystemEvent.jsp.
McAfee IntruShield SystemEvent.jsp Arbitrary HTML Injection
Local / Remote
Loss of Confidentiality,
Loss of Integrity
McAfee IntruShield Manager contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate thirdMenuName or resourceName parameter upon submission to the 'SystemEvent.jsp' page. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
Upgrade to version 220.127.116.11 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.