CVE-2019-11763

Failure to correctly handle null bytes when processing HTML entities resulted in Firefox incorrectly parsing these entities. This could have led to HTML comment text being treated as HTML which could have led to XSS in a web application under certain conditions. It could have also led to HTML entities being masked from filters - enabling the use of entities to mask the actual characters of interest from filters. This vulnerability affects Firefox < 70, Thunderbird < 68.2, and Firefox ESR < 68.2.

CVSS v3 6.1 MEDIUM
CVSS v2.0 4.3 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

4.3^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:N/C:N/I:P/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://bugzilla.mozilla.org/show_bug.cgi?id=1584216	Issue Tracking Permissions Required
https://security.gentoo.org/glsa/202003-10	Third Party Advisory
https://usn.ubuntu.com/4335-1/	Third Party Advisory
https://www.mozilla.org/security/advisories/mfsa2019-33/	Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2019-34/	Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2019-35/	Vendor Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=1584216	Issue Tracking Permissions Required
https://security.gentoo.org/glsa/202003-10	Third Party Advisory
https://usn.ubuntu.com/4335-1/	Third Party Advisory
https://www.mozilla.org/security/advisories/mfsa2019-33/	Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2019-34/	Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2019-35/	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:mozilla:firefox::::::::
	cpe:2.3:a:mozilla:firefox_esr::::::::
	cpe:2.3:a:mozilla:thunderbird::::::::

Configuration 2 (hide)

cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*

History

21 Nov 2024, 04:21

Type	Values Removed	Values Added
References	~~() https://bugzilla.mozilla.org/show_bug.cgi?id=1584216 - Issue Tracking, Permissions Required~~	() https://bugzilla.mozilla.org/show_bug.cgi?id=1584216 - Issue Tracking, Permissions Required
References	~~() https://security.gentoo.org/glsa/202003-10 - Third Party Advisory~~	() https://security.gentoo.org/glsa/202003-10 - Third Party Advisory
References	~~() https://usn.ubuntu.com/4335-1/ - Third Party Advisory~~	() https://usn.ubuntu.com/4335-1/ - Third Party Advisory
References	~~() https://www.mozilla.org/security/advisories/mfsa2019-33/ - Vendor Advisory~~	() https://www.mozilla.org/security/advisories/mfsa2019-33/ - Vendor Advisory
References	~~() https://www.mozilla.org/security/advisories/mfsa2019-34/ - Vendor Advisory~~	() https://www.mozilla.org/security/advisories/mfsa2019-34/ - Vendor Advisory
References	~~() https://www.mozilla.org/security/advisories/mfsa2019-35/ - Vendor Advisory~~	() https://www.mozilla.org/security/advisories/mfsa2019-35/ - Vendor Advisory

Information

Published : 2020-01-08 20:15

Updated : 2024-11-21 04:21

NVD link : CVE-2019-11763

Mitre link : CVE-2019-11763

CVE.ORG link : CVE-2019-11763

JSON object : View

Products Affected

canonical

ubuntu_linux

mozilla

thunderbird
firefox
firefox_esr

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

6.1 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

4.3 /10

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

JSON object

Attach tags to CVE-2019-11763

6.1^/10

4.3^/10

Attach tags to `CVE-2019-11763`