CVE-2005-2187
Description
In McAfee IntruShield Security Management System, an authenticated user can escalate privileges to generate reports and modify alerts via unauthorized parameter manipulation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In McAfee IntruShield Security Management System, an authenticated user can escalate privileges to generate reports and modify alerts via unauthorized parameter manipulation.
Vulnerability
The McAfee IntruShield Security Management System (ISM) contains an authorization bypass vulnerability [1][2]. When the Access option is set to true, a remote authenticated user can access the 'Generate Reports' feature and modify alerts. The vulnerability is triggered by manipulating the fullAccess or fullAccessRight parameter in reports-column-center.jsp, or the fullAccess parameter in SystemEvent.jsp [1][2]. The affected software is identified as McAfee IntruShield Security Management System, versions prior to the June 2005 maintenance patch [3].
Exploitation
An attacker must have a valid authenticated session on the IntruShield Security Management System web console [1][2]. No additional privileges or write access are required beyond standard user authentication. The attacker simply crafts a request to the vulnerable JSP pages (reports-column-center.jsp or SystemEvent.jsp) and sets the fullAccess or fullAccessRight parameter to true [1][2]. This can be done remotely via a web browser or by sending a customized HTTP request.
Impact
Successful exploitation allows the authenticated attacker to bypass the intended access controls [1][2]. The attacker can generate reports and modify alerts, which are functions normally restricted to higher-privileged users. This represents a privilege escalation vulnerability that compromises the integrity and availability of security event management. The attacker could potentially alter or delete critical security alerts, undermining the monitoring capabilities of the IPS deployment.
Mitigation
A fix was scheduled for release in the June 2005 maintenance patch, as confirmed by McAfee [3]. Users should apply the vendor-supplied patch to correct the parameter validation and authorization logic. No workarounds were disclosed in the available references. If the product is no longer supported, users should upgrade to a supported version or implement network-level access controls to restrict access to the management console to trusted users only.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2cpe:2.3:h:mcafee:intrushield_security_management_system:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:h:mcafee:intrushield_security_management_system:*:*:*:*:*:*:*:*
- (no CPE)
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing server-side authorization checks on the `fullAccess` and `fullAccessRight` URL parameters allow privilege escalation."
Attack vector
An attacker who already possesses a valid low-privileged user account can modify the `fullAccess` or `fullAccessRight` URL parameters in requests to `reports-column-center.jsp` or `SystemEvent.jsp` [ref_id=1]. By setting these parameters to `true`, the attacker gains unauthorized access to the "Generate Reports" feature and the ability to acknowledge, de-acknowledge, and delete alerts [ref_id=1]. The attack is performed over HTTPS by crafting a specially formed URL and does not require any additional authentication bypass [ref_id=1].
Affected code
The vulnerability exists in the JSP pages `reports-column-center.jsp` and `SystemEvent.jsp` within the IntruShield Security Management System. The `fullAccess` and `fullAccessRight` parameters in these pages are not properly validated, allowing a low-privileged user to escalate their access by simply changing the parameter value from `false` to `true` [ref_id=1].
What the fix does
The advisory states that a new version of the software was released to address these bugs, but no patch diff is provided in the bundle [ref_id=1]. The fix would require the application to enforce server-side authorization checks on the `fullAccess` and `fullAccessRight` parameters rather than trusting the client-supplied value, ensuring that only users with the appropriate privileges can access report generation or modify alerts [ref_id=1].
Preconditions
- authAttacker must have a valid low-privileged user account on the IntruShield Security Management System
- networkAttacker must be able to send crafted HTTPS requests to the management console
Reproduction
Access the "Generate Reports" section by navigating to: `https://intrushield:443/intruvert/jsp/reports/reports-column-center.jsp?monitoredDomain=%2FDemo&selectedDomain=0&fullAccessRight=true` [ref_id=1]. To acknowledge or delete alerts, navigate to: `https://intrushield/intruvert/jsp/systemHealth/SystemEvent.jsp?fullAccess=true&faultResourceName=Manager&domainName=%2FDemo%3A0&resourceName=%Demo%3A0%2FManager&resourceType=Manager&topMenuName=SystemHealthManager&secondMenuName=Faults&resourceId=-1&thirdMenuName=Critical&severity=critical&count=1` [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.