CVE-2019-3591

Published: Jul 24, 2019Modified: Nov 21, 2024

6.1

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.7

Source: NVD

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in ePO extension in McAfee Data Loss Prevention (DLPe) for Windows 11.x prior to 11.3.0 allows unauthenticated remote user to trigger specially crafted JavaScript to render in the ePO UI via a carefully crafted upload to a remote website which is correctly blocked by DLPe Web Protection. This would then render as an XSS when the DLP Admin viewed the event in the ePO UI.

Affected (2)

Products: Mcafee: Data Loss Prevention Endpoint

1 product

Data Loss Prevention Endpoint

Configuration A

2 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Mcafee Data Loss Prevention Endpoint	From 11.0 to 11.1.200
Mcafee Data Loss Prevention Endpoint	From 11.2.000 to 11.3.0

Running on/with	Platform Versions
Microsoft Windows	All versions

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (4)

http://www.securityfocus.com/bid/109377

Source: trellixpsirt@trellix.com

https://kc.mcafee.com/corporate/index?page=content&id=SB10289

Source: trellixpsirt@trellix.com

http://www.securityfocus.com/bid/109377

Source: af854a3a-2127-422b-91ae-364da2661108

https://kc.mcafee.com/corporate/index?page=content&id=SB10289

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.