[email protected]CVE-2019-17016

HistoryJan 08, 2020 - 10:15 p.m.

CVE-2019-17016

2020-01-0822:15:00

CWE-79

[email protected]

web.nvd.nist.gov

196

cve-2019-17016

css sanitizer

data exfiltration

firefox esr

firefox

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

6.6 Medium

AI Score

Confidence

High

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.004 Low

EPSS

Percentile

74.7%

JSON

When pasting a <style> tag from the clipboard into a rich text editor, the CSS sanitizer incorrectly rewrites a @namespace rule. This could allow for injection into certain types of websites resulting in data exfiltration. This vulnerability affects Firefox ESR < 68.4 and Firefox < 72.

VendorProductVersionCPE
mozillafirefox_esr*cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*
mozillafirefox*cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
mozilla	firefox_esr	*	cpe:2.3:a:mozilla:firefox_esr::::::::
mozilla	firefox	*	cpe:2.3:a:mozilla:firefox::::::::

References

lists.opensuse.org/opensuse-security-announce/2020-01/msg00029.html

lists.opensuse.org/opensuse-security-announce/2020-01/msg00043.html

packetstormsecurity.com/files/155912/Slackware-Security-Advisory-mozilla-thunderbird-Updates.html

access.redhat.com/errata/RHSA-2020:0085

access.redhat.com/errata/RHSA-2020:0086

access.redhat.com/errata/RHSA-2020:0111

access.redhat.com/errata/RHSA-2020:0120

access.redhat.com/errata/RHSA-2020:0123

access.redhat.com/errata/RHSA-2020:0127

access.redhat.com/errata/RHSA-2020:0292

access.redhat.com/errata/RHSA-2020:0295

bugzilla.mozilla.org/show_bug.cgi?id=1599181

lists.debian.org/debian-lts-announce/2020/01/msg00005.html

lists.debian.org/debian-lts-announce/2020/01/msg00016.html

seclists.org/bugtraq/2020/Jan/12

seclists.org/bugtraq/2020/Jan/18

seclists.org/bugtraq/2020/Jan/26

security.gentoo.org/glsa/202003-02

usn.ubuntu.com/4234-1/

usn.ubuntu.com/4241-1/

usn.ubuntu.com/4335-1/

www.debian.org/security/2020/dsa-4600

www.debian.org/security/2020/dsa-4603

www.mozilla.org/security/advisories/mfsa2020-01/

www.mozilla.org/security/advisories/mfsa2020-02/

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

6.6 Medium

AI Score

Confidence

High

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.004 Low

EPSS

Percentile

74.7%

JSON

Related for CVE-2019-17016

veracode1 debiancve1 ubuntucve1 alpinelinux1 prion1 redhatcve1 osv4 nessus52 openvas26 oraclelinux6 redhat8 mageia2 debian4 centos4 archlinux2 amazon1 altlinux2 kaspersky3 mozilla3 suse2 slackware1 ubuntu3 gentoo1