CVE-2023-6072 is a cross-site scripting (XSS) vulnerability identified in Trellix Central Management (CM) versions prior to 9.1.3.97129. This vulnerability arises due to improper neutralization of input during web page generation (CWE-79), allowing a remote authenticated attacker to inject arbitrary content into the CM dashboard responses. Specifically, an attacker with valid authentication credentials can craft specially designed internal requests to the CM dashboard, which then improperly processes and reflects this input without adequate sanitization or encoding. This results in the injection of malicious scripts or HTML content into the dashboard interface viewed by users. The vulnerability requires authentication, meaning that an attacker must have some level of access to the Trellix CM system to exploit it. However, once exploited, the attacker could execute arbitrary scripts in the context of the victim's browser session, potentially leading to session hijacking, unauthorized actions within the dashboard, or the theft of sensitive information displayed or accessible through the CM interface. Trellix Central Management is a security management platform used to centrally manage endpoint security products and policies, making it a critical component in enterprise security infrastructure. The vulnerability does not currently have known exploits in the wild, and no official patches or CVSS scores have been published as of the information date. Given the nature of the vulnerability, it primarily impacts the confidentiality and integrity of the system and its users, with a moderate impact on availability. The attack vector is limited to authenticated users, which somewhat reduces the attack surface but does not eliminate risk, especially in environments with many users or where credential compromise is possible.

For European organizations, the exploitation of this XSS vulnerability in Trellix CM could lead to unauthorized actions within the security management platform, potentially undermining the integrity of security policies and endpoint protections. Attackers could leverage the vulnerability to escalate privileges, manipulate security configurations, or exfiltrate sensitive data related to endpoint security status and configurations. This could result in degraded security posture, increased risk of further compromise, and potential regulatory non-compliance, especially under GDPR where protection of personal data is paramount. The impact is heightened in sectors with critical infrastructure or sensitive data, such as finance, healthcare, and government agencies, where Trellix products are often deployed. Additionally, the ability to execute scripts in the context of authenticated users could facilitate lateral movement or persistent access within the network. Although no active exploitation is currently reported, the presence of this vulnerability in a central security management tool makes it a valuable target for attackers aiming to disrupt or bypass enterprise security controls.

1. Immediate upgrade to Trellix Central Management version 9.1.3.97129 or later once available to apply official patches addressing this vulnerability. 2. Implement strict role-based access controls (RBAC) to limit the number of users with dashboard access and reduce the risk of exploitation by limiting authenticated user privileges. 3. Monitor and audit user activities within Trellix CM to detect unusual or unauthorized actions that could indicate exploitation attempts. 4. Employ web application firewalls (WAF) with custom rules to detect and block suspicious input patterns targeting the CM dashboard, especially those resembling XSS payloads. 5. Conduct regular security awareness training for administrators and users with access to Trellix CM to recognize phishing or credential compromise attempts that could lead to unauthorized access. 6. Isolate the Trellix CM management interface within secure network segments and restrict access via VPN or zero-trust network access (ZTNA) solutions to reduce exposure. 7. Review and sanitize all inputs and outputs in any custom integrations or scripts interacting with Trellix CM dashboards to prevent secondary injection risks. 8. Prepare incident response plans specifically addressing potential misuse of management platforms to ensure rapid containment and remediation if exploitation is detected.