Lucene search

[email protected]NVD:CVE-2019-17022

HistoryJan 08, 2020 - 10:15 p.m.

CVE-2019-17022

2020-01-0822:15:12

CWE-79

[email protected]

web.nvd.nist.gov

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

6.8 Medium

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

64.6%

JSON

When pasting a <style> tag from the clipboard into a rich text editor, the CSS sanitizer does not escape < and > characters. Because the resulting string is pasted directly into the text node of the element this does not result in a direct injection into the webpage; however, if a webpage subsequently copies the node’s innerHTML, assigning it to another innerHTML, this would result in an XSS vulnerability. Two WYSIWYG editors were identified with this behavior, more may exist. This vulnerability affects Firefox ESR < 68.4 and Firefox < 72.

Affected configurations

NVD

Node

mozillafirefoxRange<72.0

mozillafirefox_esrRange<68.4

Node

canonicalubuntu_linuxMatch16.04lts

canonicalubuntu_linuxMatch18.04lts

canonicalubuntu_linuxMatch19.04

canonicalubuntu_linuxMatch19.10

Node

debiandebian_linuxMatch8.0

debiandebian_linuxMatch9.0

debiandebian_linuxMatch10.0

Node

redhatenterprise_linux_desktopMatch6.0

redhatenterprise_linux_desktopMatch7.0

redhatenterprise_linux_serverMatch6.0

redhatenterprise_linux_serverMatch7.0

redhatenterprise_linux_server_ausMatch7.7

redhatenterprise_linux_server_tusMatch7.7

redhatenterprise_linux_workstationMatch6.0

redhatenterprise_linux_workstationMatch7.0

References

lists.opensuse.org/opensuse-security-announce/2020-01/msg00029.html

lists.opensuse.org/opensuse-security-announce/2020-01/msg00043.html

packetstormsecurity.com/files/155912/Slackware-Security-Advisory-mozilla-thunderbird-Updates.html

access.redhat.com/errata/RHSA-2020:0085

access.redhat.com/errata/RHSA-2020:0086

access.redhat.com/errata/RHSA-2020:0111

access.redhat.com/errata/RHSA-2020:0120

access.redhat.com/errata/RHSA-2020:0123

access.redhat.com/errata/RHSA-2020:0127

access.redhat.com/errata/RHSA-2020:0292

access.redhat.com/errata/RHSA-2020:0295

bugzilla.mozilla.org/show_bug.cgi?id=1602843

lists.debian.org/debian-lts-announce/2020/01/msg00005.html

lists.debian.org/debian-lts-announce/2020/01/msg00016.html

seclists.org/bugtraq/2020/Jan/12

seclists.org/bugtraq/2020/Jan/18

seclists.org/bugtraq/2020/Jan/26

security.gentoo.org/glsa/202003-02

usn.ubuntu.com/4234-1/

usn.ubuntu.com/4241-1/

usn.ubuntu.com/4335-1/

www.debian.org/security/2020/dsa-4600

www.debian.org/security/2020/dsa-4603

www.mozilla.org/security/advisories/mfsa2020-01/

www.mozilla.org/security/advisories/mfsa2020-02/

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

6.8 Medium

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

64.6%

JSON

Related for NVD:CVE-2019-17022