CVE-2019-3591 | DLP Endpoint ePO extension vulnerable to XSS
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in ePO extension in McAfee Data Loss Prevention (DLPe) for Windows 11.x prior to 11.3.0 allows unauthenticated remote user to trigger specially crafted JavaScript to render in the ePO UI via a carefully crafted upload to a remote website which is correctly blocked by DLPe Web Protection. This would then render as an XSS when the DLP Admin viewed the event in the ePO UI.
Conclusion & alert: CVE-2019-3591 is rated Low Risk (34.5/100): CVSS Low severity, with medium exploitation likelihood (EPSS 0.83%).Mandatory action: Monitor for updates and reassess as exploit intelligence or EPSS changes.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
Exploit prediction scoring system (EPSS) score for CVE-2019-3591
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).