McAfee Email and Web Security (EWS) 5.x before 5.5 Patch 6 and 5.6 before Patch 3, and McAfee Email Gateway (MEG) 7.0 before Patch 1, does not disable the server-side session token upon the closing of the Management Console/Dashboard, which makes it easier for remote attackers to hijack sessions by capturing a session cookie and then modifying the response to a login attempt, related to a Logout Failure issue.
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Email_and_web_security | Mcafee | 5.0 (including) | 5.0 (including) |
| Email_and_web_security | Mcafee | 5.5 (including) | 5.5 (including) |
| Email_and_web_security | Mcafee | 5.6 (including) | 5.6 (including) |
| Email_gateway | Mcafee | 7.0 (including) | 7.0 (including) |