CVE-2012-4581

medium

Published 2012-08-22 · Modified 2026-04-29

CVSS v3

—

CVSS v2

6.8

VIR risk

6.8

Description

McAfee Email and Web Security (EWS) 5.x before 5.5 Patch 6 and 5.6 before Patch 3, and McAfee Email Gateway (MEG) 7.0 before Patch 1, does not disable the server-side session token upon the closing of the Management Console/Dashboard, which makes it easier for remote attackers to hijack sessions by capturing a session cookie and then modifying the response to a login attempt, related to a "Logout Failure" issue.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — https://kc.mcafee.com/corporate/index?page=content&id=SB10020

Application impact

Vendor	Product	Versions
mcafee	email_and_web_security	`5.0`
mcafee	email_and_web_security	`5.5`
mcafee	email_and_web_security	`5.6`
mcafee	email_gateway	`7.0`

References

https://kc.mcafee.com/corporate/index?page=content&id=SB10020
https://kc.mcafee.com/corporate/index?page=content&id=SB10020

CWEs

CWE-287

Verify integrity in audit chain (admin only). AS-IS.