CVE-2019-3591
LOWMcAfee Data Loss Prevention Endpoint 11.0-11.1.200 - Stored Cross-Site Scripting via ePO UI Event Rendering
Title source: llmDescription
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in ePO extension in McAfee Data Loss Prevention (DLPe) for Windows 11.x prior to 11.3.0 allows unauthenticated remote user to trigger specially crafted JavaScript to render in the ePO UI via a carefully crafted upload to a remote website which is correctly blocked by DLPe Web Protection. This would then render as an XSS when the DLP Admin viewed the event in the ePO UI.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://kc.mcafee.com/corporate/index?page=content&id=SB10289
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/109377
Scores
CVSS v3
3.9
EPSS
0.0016
EPSS Percentile
36.5%
Attack Vector
LOCAL
CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (1)
mcafee/data_loss_prevention_endpoint
11.0 - 11.1.200
Published
Jul 24, 2019
Tracked Since
Feb 18, 2026