Lucene search

[email protected]NVD:CVE-2019-17022

HistoryJan 08, 2020 - 10:15 p.m.

CVE-2019-17022

2020-01-0822:15:12

CWE-79

[email protected]

web.nvd.nist.gov

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

AI Score

6.8

Confidence

High

EPSS

0.002

Percentile

64.5%

JSON

When pasting a <style> tag from the clipboard into a rich text editor, the CSS sanitizer does not escape < and > characters. Because the resulting string is pasted directly into the text node of the element this does not result in a direct injection into the webpage; however, if a webpage subsequently copies the node’s innerHTML, assigning it to another innerHTML, this would result in an XSS vulnerability. Two WYSIWYG editors were identified with this behavior, more may exist. This vulnerability affects Firefox ESR < 68.4 and Firefox < 72.

Affected configurations

Nvd

Node

mozillafirefoxRange<72.0

mozillafirefox_esrRange<68.4

Node

canonicalubuntu_linuxMatch16.04lts

canonicalubuntu_linuxMatch18.04lts

canonicalubuntu_linuxMatch19.04

canonicalubuntu_linuxMatch19.10

Node

debiandebian_linuxMatch8.0

debiandebian_linuxMatch9.0

debiandebian_linuxMatch10.0

Node

redhatenterprise_linux_desktopMatch6.0

redhatenterprise_linux_desktopMatch7.0

redhatenterprise_linux_serverMatch6.0

redhatenterprise_linux_serverMatch7.0

redhatenterprise_linux_server_ausMatch7.7

redhatenterprise_linux_server_tusMatch7.7

redhatenterprise_linux_workstationMatch6.0

redhatenterprise_linux_workstationMatch7.0

VendorProductVersionCPE
mozillafirefox*cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
mozillafirefox_esr*cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*
canonicalubuntu_linux16.04cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
canonicalubuntu_linux18.04cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
canonicalubuntu_linux19.04cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*
canonicalubuntu_linux19.10cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*
debiandebian_linux8.0cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
debiandebian_linux9.0cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
debiandebian_linux10.0cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
redhatenterprise_linux_desktop6.0cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
mozilla	firefox	*	cpe:2.3:a:mozilla:firefox::::::::
mozilla	firefox_esr	*	cpe:2.3:a:mozilla:firefox_esr::::::::
canonical	ubuntu_linux	16.04	cpe:2.3:o:canonical:ubuntu_linux:16.04::::lts:::
canonical	ubuntu_linux	18.04	cpe:2.3:o:canonical:ubuntu_linux:18.04::::lts:::
canonical	ubuntu_linux	19.04	cpe:2.3:o:canonical:ubuntu_linux:19.04:::::::*
canonical	ubuntu_linux	19.10	cpe:2.3:o:canonical:ubuntu_linux:19.10:::::::*
debian	debian_linux	8.0	cpe:2.3:o:debian:debian_linux:8.0:::::::*
debian	debian_linux	9.0	cpe:2.3:o:debian:debian_linux:9.0:::::::*
debian	debian_linux	10.0	cpe:2.3:o:debian:debian_linux:10.0:::::::*
redhat	enterprise_linux_desktop	6.0	cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:::::::*