Scan free
LOWCVE-2019-3591CVSS 3.9

CVE-2019-3591: XSS in McAfee Data Loss Prevention ePO

Platform

windows

Component

mcafee-data-loss-prevention-epo-extension

Fixed in

11.3.0

AI Confidence: highNVDEPSS 0.2%Reviewed: May 2026
View on NVD
Save

CVE-2019-3591 describes a cross-site scripting (XSS) vulnerability within the McAfee Data Loss Prevention (DLPe) ePO extension. This flaw allows an unauthenticated remote user to inject malicious JavaScript code into the ePO user interface. The vulnerability affects versions 11.0.0 through 11.3.0 of the extension and is mitigated by upgrading to version 11.3.0 or later.

Impact and Attack Scenarios

An attacker exploiting CVE-2019-3591 can execute arbitrary JavaScript code within the context of the ePO user interface. This could lead to the theft of sensitive information, such as user credentials or configuration data. The attacker could also potentially manipulate the ePO interface to display misleading information or perform unauthorized actions. The attack vector involves crafting a malicious upload that is initially blocked by DLPe Web Protection, but then triggers XSS when a DLP administrator views the event within the ePO UI. This highlights a critical flaw in the handling of seemingly blocked content.

Exploitation Context

CVE-2019-3591 was published on July 24, 2019. The CVSS score is LOW (3.9). There are no publicly known active campaigns targeting this vulnerability. No evidence of exploitation in the wild has been reported. The vulnerability is not listed on KEV or EPSS, indicating a low probability of exploitation.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureLow

EPSS

0.16% (37% percentile)

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N3.9LOWAttack VectorLocalHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredLowAuthentication level needed to attackUser InteractionRequiredWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityLowRisk of sensitive data exposureIntegrityLowRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Local — attacker needs a local shell or interactive session on the system.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
Low — any valid user account is sufficient. Basic authenticated access required.
User Interaction
Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
Low — partial or indirect data access. Attacker gains limited information.
Integrity
Low — attacker can modify some data with limited scope or impact.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Componentmcafee-data-loss-prevention-epo-extension
VendorMcAfee, LLC
Affected rangeFixed in
11.x – 11.3.011.3.0

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2019-3591 is to upgrade the McAfee Data Loss Prevention (DLPe) ePO extension to version 11.3.0 or later. If an immediate upgrade is not feasible, consider implementing stricter input validation and output encoding within the ePO extension to prevent the injection of malicious scripts. While a direct WAF rule is unlikely to be effective due to the nature of the XSS, reviewing and tightening DLPe Web Protection rules to more aggressively filter potentially malicious uploads is recommended. After upgrading, confirm the vulnerability is resolved by attempting a crafted upload and verifying that the JavaScript is not executed.

How to fix

Actualice la extensión McAfee Data Loss Prevention ePO a la versión 11.3.0 o posterior. Esta actualización corrige la vulnerabilidad XSS que permite la ejecución de JavaScript no autorizado en la interfaz de usuario de ePO.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2019-3591 — XSS in McAfee Data Loss Prevention ePO?

CVE-2019-3591 is a cross-site scripting (XSS) vulnerability affecting McAfee Data Loss Prevention (DLPe) ePO extension versions 11.0.0–11.3.0. An attacker can inject JavaScript code via a crafted upload, potentially compromising DLP admin accounts.

Am I affected by CVE-2019-3591 in McAfee Data Loss Prevention ePO?

You are affected if you are using McAfee Data Loss Prevention (DLPe) ePO extension versions 11.0.0 through 11.3.0. Check your ePO version and upgrade if necessary.

How do I fix CVE-2019-3591 in McAfee Data Loss Prevention ePO?

Upgrade the McAfee Data Loss Prevention (DLPe) ePO extension to version 11.3.0 or later to resolve this XSS vulnerability. Consider stricter input validation as an interim measure.

Is CVE-2019-3591 being actively exploited?

There is no evidence of active exploitation of CVE-2019-3591 in the wild, and it is not listed on KEV or EPSS, suggesting a low exploitation probability.

Where can I find the official McAfee advisory for CVE-2019-3591?

Refer to the McAfee Security Bulletin for details: https://kc.mcafee.com/corporate/details/kb/137321

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs