CVE-2005-2186
Description
Authenticated users can inject arbitrary web script via unsanitized parameters in McAfee IntruShield Security Management System, leading to XSS.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated users can inject arbitrary web script via unsanitized parameters in McAfee IntruShield Security Management System, leading to XSS.
Vulnerability
The McAfee IntruShield Security Management System (ISM) contains a stored cross-site scripting (XSS) vulnerability in SystemEvent.jsp. The thirdMenuName and resourceName parameters are not sanitized before being displayed, allowing authenticated users to inject arbitrary web script or HTML [1]. This affects all versions prior to the June 2005 maintenance patch as indicated by the vendor [2].
Exploitation
An attacker must have authenticated access to the ISM console with privileges to create or modify menu or resource entries. The attacker supplies a malicious payload in the thirdMenuName or resourceName parameter. When any user (including administrators) views the affected page, the injected script executes in the context of their browser session [1]. No additional user interaction is required beyond viewing the page.
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser. This can lead to theft of session cookies, UI redressing, or performing unauthorized actions on behalf of the victim. Because the script runs in the security context of the administration console, an attacker may escalate their privileges to fully compromise the IntruShield management system [1].
Mitigation
McAfee addressed these vulnerabilities in a maintenance patch released in June 2005 [2]. Administrators should apply the patch or upgrade to the latest supported version. No effective workarounds have been published; restricting access to the management console and reviewing user permissions may reduce risk.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2cpe:2.3:h:mcafee:intrushield_security_management_system:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:h:mcafee:intrushield_security_management_system:*:*:*:*:*:*:*:*
- (no CPE)
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization of the thirdMenuName and resourceName parameters in SystemEvent.jsp allows injection of arbitrary HTML and JavaScript."
Attack vector
An attacker with a valid user account crafts a URL containing malicious HTML or JavaScript in the `thirdMenuName` or `resourceName` parameter of `SystemEvent.jsp`. When a legitimate user (including a Manager) clicks the link, the injected script executes in the security context of the Management Console session, allowing the attacker to hijack account credentials or perform phishing attacks [ref_id=1]. The attack is performed remotely over HTTP/HTTPS and requires no special network position beyond access to the Management Console.
Affected code
The vulnerability is in the `SystemEvent.jsp` page within the `/intruvert/jsp/systemHealth/` directory. The `thirdMenuName` and `resourceName` parameters are not sanitized before being rendered in the page output.
What the fix does
The advisory states that a new version was released to address these bugs and can be downloaded from the vendor's site [ref_id=1]. No patch diff is available in the bundle. The fix would involve proper input validation and output encoding of the `thirdMenuName` and `resourceName` parameters in `SystemEvent.jsp` to prevent injected HTML or JavaScript from being interpreted by the browser.
Preconditions
- authAttacker must have a valid user account on the McAfee IntruShield Security Management System
- inputTarget user must click a crafted URL pointing to SystemEvent.jsp
- networkNetwork access to the Management Console web interface
Reproduction
The advisory provides two example URLs. For HTML injection: `https://intrushield/intruvert/jsp/systemHealth/SystemEvent.jsp?fullAccess=false&faultResourceName=Manager&domainName=%2FDemo%3A0&resourceName=%2FDemo%3A0%2FManager&resourceType=Manager&topMenuName=SystemHealthManager&secondMenuName=Faults&resourceId=-1&thirdMenuName=
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.