Ubuntu.comUB:CVE-2019-17020CVE-2019-17020
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.002 Low
EPSS
Percentile
53.3%
If an XML file is served with a Content Security Policy and the XML file
includes an XSL stylesheet, the Content Security Policy will not be applied
to the contents of the XSL stylesheet. If the XSL sheet e.g. includes
JavaScript, it would bypass any of the restrictions of the Content Security
Policy applied to the XML document. This vulnerability affects Firefox <
72.
Notes
| Author | Note |
|---|---|
| tyhicks | mozjs contains a copy of the SpiderMonkey JavaScript engine |
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| ubuntu | 18.04 | noarch | firefox | < 72.0.1+build1-0ubuntu0.18.04.1 | UNKNOWN |
| ubuntu | 19.04 | noarch | firefox | < 72.0.1+build1-0ubuntu0.19.04.1 | UNKNOWN |
| ubuntu | 19.10 | noarch | firefox | < 72.0.1+build1-0ubuntu0.19.10.1 | UNKNOWN |
| ubuntu | 20.04 | noarch | firefox | < 72.0.1+build1-0ubuntu1 | UNKNOWN |
| ubuntu | 20.10 | noarch | firefox | < 72.0.1+build1-0ubuntu1 | UNKNOWN |
| ubuntu | 21.04 | noarch | firefox | < 72.0.1+build1-0ubuntu1 | UNKNOWN |
| ubuntu | 21.10 | noarch | firefox | < 72.0.1+build1-0ubuntu1 | UNKNOWN |
| ubuntu | 22.04 | noarch | firefox | < 72.0.1+build1-0ubuntu1 | UNKNOWN |
| ubuntu | 22.10 | noarch | firefox | < 72.0.1+build1-0ubuntu1 | UNKNOWN |
| ubuntu | 23.04 | noarch | firefox | < 72.0.1+build1-0ubuntu1 | UNKNOWN |
References
bugzilla.mozilla.org/show_bug.cgi?id=1597645
launchpad.net/bugs/cve/CVE-2019-17020
nvd.nist.gov/vuln/detail/CVE-2019-17020
security-tracker.debian.org/tracker/CVE-2019-17020
ubuntu.com/security/notices/USN-4234-1
www.cve.org/CVERecord?id=CVE-2019-17020
www.mozilla.org/en-US/security/advisories/mfsa2020-01/#CVE-2019-17020
www.mozilla.org/security/advisories/mfsa2020-01/
Related
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.002 Low
EPSS
Percentile
53.3%