DLP Endpoint ePO extension not sanitizing CSV exports
CVE-2019-3595

2LOW

Key Information:

Vendor: Mcafee, Llc
Status: Dlp Endpoint Epo Extension
Vendor: CVE Published:; 24 July 2019

Summary

Improper Neutralization of Special Elements used in a Command ('Command Injection') in ePO extension in McAfee Data Loss Prevention (DLP) 11.x prior to 11.3.0 allows Authenticated Adminstrator to execute arbitrary code with their local machine privileges via a specially crafted DLP policy, which is exported and opened on the their machine. In our checks, the user must explicitly allow the code to execute.

Affected Version(s)

DLP Endpoint ePO extension 11.x < 11.3.0

References

https://kc.mcafee.com/corporate/index?page=content&id=SB1...

x_refsource_CONFIRM

http://www.securityfocus.com/bid/109377

vdb-entryx_refsource_BID

CVSS V3.1

Score:

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Jul 24, 2019
Vulnerability Reserved
Jan 3, 2019