Vulnerability Details : CVE-2019-3591
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in ePO extension in McAfee Data Loss Prevention (DLPe) for Windows 11.x prior to 11.3.0 allows unauthenticated remote user to trigger specially crafted JavaScript to render in the ePO UI via a carefully crafted upload to a remote website which is correctly blocked by DLPe Web Protection. This would then render as an XSS when the DLP Admin viewed the event in the ePO UI.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2019-3591
- cpe:2.3:a:mcafee:data_loss_prevention_endpoint:*:*:*:*:*:*:*:*
- cpe:2.3:a:mcafee:data_loss_prevention_endpoint:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-3591
0.31%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 51 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-3591
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST | |
|
6.1
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
2.8
|
2.7
|
NIST | |
|
3.9
|
LOW | CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N |
1.3
|
2.5
|
McAfee (DEFUNCT) |
CWE ids for CVE-2019-3591
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-3591
-
https://kc.mcafee.com/corporate/index?page=content&id=SB10289
McAfee Security Bulletin - Data Loss Prevention Endpoint ePolicy Orchestrator extension update fixes two vulnerabilities (CVE-2019-3591 and CVE-2019-3595)Vendor Advisory
-
http://www.securityfocus.com/bid/109377
McAfee Data Loss Prevention Endpoint for Windows Multiple Local Security Vulnerabilities
Jump to