CVE-2019-17016

When pasting a &lt;style&gt; tag from the clipboard into a rich text editor, the CSS sanitizer incorrectly rewrites a @namespace rule. This could allow for injection into certain types of websites resulting in data exfiltration. This vulnerability affects Firefox ESR < 68.4 and Firefox < 72.
References
Link Resource
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00029.html
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00043.html
http://packetstormsecurity.com/files/155912/Slackware-Security-Advisory-mozilla-thunderbird-Updates.html
https://access.redhat.com/errata/RHSA-2020:0085 Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0086 Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0111
https://access.redhat.com/errata/RHSA-2020:0120
https://access.redhat.com/errata/RHSA-2020:0123
https://access.redhat.com/errata/RHSA-2020:0127
https://access.redhat.com/errata/RHSA-2020:0292
https://access.redhat.com/errata/RHSA-2020:0295
https://bugzilla.mozilla.org/show_bug.cgi?id=1599181 Permissions Required
https://lists.debian.org/debian-lts-announce/2020/01/msg00005.html Mailing List Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/01/msg00016.html
https://seclists.org/bugtraq/2020/Jan/12 Mailing List Third Party Advisory
https://seclists.org/bugtraq/2020/Jan/18 Mailing List Third Party Advisory
https://seclists.org/bugtraq/2020/Jan/26
https://security.gentoo.org/glsa/202003-02
https://usn.ubuntu.com/4234-1/ Third Party Advisory
https://usn.ubuntu.com/4241-1/
https://usn.ubuntu.com/4335-1/
https://www.debian.org/security/2020/dsa-4600 Third Party Advisory
https://www.debian.org/security/2020/dsa-4603
https://www.mozilla.org/security/advisories/mfsa2020-01/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2020-02/ Vendor Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00029.html
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00043.html
http://packetstormsecurity.com/files/155912/Slackware-Security-Advisory-mozilla-thunderbird-Updates.html
https://access.redhat.com/errata/RHSA-2020:0085 Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0086 Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0111
https://access.redhat.com/errata/RHSA-2020:0120
https://access.redhat.com/errata/RHSA-2020:0123
https://access.redhat.com/errata/RHSA-2020:0127
https://access.redhat.com/errata/RHSA-2020:0292
https://access.redhat.com/errata/RHSA-2020:0295
https://bugzilla.mozilla.org/show_bug.cgi?id=1599181 Permissions Required
https://lists.debian.org/debian-lts-announce/2020/01/msg00005.html Mailing List Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/01/msg00016.html
https://seclists.org/bugtraq/2020/Jan/12 Mailing List Third Party Advisory
https://seclists.org/bugtraq/2020/Jan/18 Mailing List Third Party Advisory
https://seclists.org/bugtraq/2020/Jan/26
https://security.gentoo.org/glsa/202003-02
https://usn.ubuntu.com/4234-1/ Third Party Advisory
https://usn.ubuntu.com/4241-1/
https://usn.ubuntu.com/4335-1/
https://www.debian.org/security/2020/dsa-4600 Third Party Advisory
https://www.debian.org/security/2020/dsa-4603
https://www.mozilla.org/security/advisories/mfsa2020-01/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2020-02/ Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

Configuration 3 (hide)

OR cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*

Configuration 4 (hide)

OR cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.7:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_tus:7.7:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*

History

21 Nov 2024, 04:31

Type Values Removed Values Added
References () http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00029.html - () http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00029.html -
References () http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00043.html - () http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00043.html -
References () http://packetstormsecurity.com/files/155912/Slackware-Security-Advisory-mozilla-thunderbird-Updates.html - () http://packetstormsecurity.com/files/155912/Slackware-Security-Advisory-mozilla-thunderbird-Updates.html -
References () https://access.redhat.com/errata/RHSA-2020:0085 - Third Party Advisory () https://access.redhat.com/errata/RHSA-2020:0085 - Third Party Advisory
References () https://access.redhat.com/errata/RHSA-2020:0086 - Third Party Advisory () https://access.redhat.com/errata/RHSA-2020:0086 - Third Party Advisory
References () https://access.redhat.com/errata/RHSA-2020:0111 - () https://access.redhat.com/errata/RHSA-2020:0111 -
References () https://access.redhat.com/errata/RHSA-2020:0120 - () https://access.redhat.com/errata/RHSA-2020:0120 -
References () https://access.redhat.com/errata/RHSA-2020:0123 - () https://access.redhat.com/errata/RHSA-2020:0123 -
References () https://access.redhat.com/errata/RHSA-2020:0127 - () https://access.redhat.com/errata/RHSA-2020:0127 -
References () https://access.redhat.com/errata/RHSA-2020:0292 - () https://access.redhat.com/errata/RHSA-2020:0292 -
References () https://access.redhat.com/errata/RHSA-2020:0295 - () https://access.redhat.com/errata/RHSA-2020:0295 -
References () https://bugzilla.mozilla.org/show_bug.cgi?id=1599181 - Permissions Required () https://bugzilla.mozilla.org/show_bug.cgi?id=1599181 - Permissions Required
References () https://lists.debian.org/debian-lts-announce/2020/01/msg00005.html - Mailing List, Third Party Advisory () https://lists.debian.org/debian-lts-announce/2020/01/msg00005.html - Mailing List, Third Party Advisory
References () https://lists.debian.org/debian-lts-announce/2020/01/msg00016.html - () https://lists.debian.org/debian-lts-announce/2020/01/msg00016.html -
References () https://seclists.org/bugtraq/2020/Jan/12 - Mailing List, Third Party Advisory () https://seclists.org/bugtraq/2020/Jan/12 - Mailing List, Third Party Advisory
References () https://seclists.org/bugtraq/2020/Jan/18 - Mailing List, Third Party Advisory () https://seclists.org/bugtraq/2020/Jan/18 - Mailing List, Third Party Advisory
References () https://seclists.org/bugtraq/2020/Jan/26 - () https://seclists.org/bugtraq/2020/Jan/26 -
References () https://security.gentoo.org/glsa/202003-02 - () https://security.gentoo.org/glsa/202003-02 -
References () https://usn.ubuntu.com/4234-1/ - Third Party Advisory () https://usn.ubuntu.com/4234-1/ - Third Party Advisory
References () https://usn.ubuntu.com/4241-1/ - () https://usn.ubuntu.com/4241-1/ -
References () https://usn.ubuntu.com/4335-1/ - () https://usn.ubuntu.com/4335-1/ -
References () https://www.debian.org/security/2020/dsa-4600 - Third Party Advisory () https://www.debian.org/security/2020/dsa-4600 - Third Party Advisory
References () https://www.debian.org/security/2020/dsa-4603 - () https://www.debian.org/security/2020/dsa-4603 -
References () https://www.mozilla.org/security/advisories/mfsa2020-01/ - Vendor Advisory () https://www.mozilla.org/security/advisories/mfsa2020-01/ - Vendor Advisory
References () https://www.mozilla.org/security/advisories/mfsa2020-02/ - Vendor Advisory () https://www.mozilla.org/security/advisories/mfsa2020-02/ - Vendor Advisory

Information

Published : 2020-01-08 22:15

Updated : 2024-11-21 04:31


NVD link : CVE-2019-17016

Mitre link : CVE-2019-17016

CVE.ORG link : CVE-2019-17016


JSON object : View

Products Affected

redhat

  • enterprise_linux_workstation
  • enterprise_linux_server_tus
  • enterprise_linux_server
  • enterprise_linux_desktop
  • enterprise_linux_server_aus

debian

  • debian_linux

mozilla

  • firefox
  • firefox_esr

canonical

  • ubuntu_linux
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')