CVE-2019-17016
Vulnerability from cvelistv5
Published
2020-01-08 21:27
Modified
2024-08-05 01:24
Severity ?
Summary
When pasting a &lt;style&gt; tag from the clipboard into a rich text editor, the CSS sanitizer incorrectly rewrites a @namespace rule. This could allow for injection into certain types of websites resulting in data exfiltration. This vulnerability affects Firefox ESR < 68.4 and Firefox < 72.
References
security@mozilla.orghttp://lists.opensuse.org/opensuse-security-announce/2020-01/msg00029.html
security@mozilla.orghttp://lists.opensuse.org/opensuse-security-announce/2020-01/msg00043.html
security@mozilla.orghttp://packetstormsecurity.com/files/155912/Slackware-Security-Advisory-mozilla-thunderbird-Updates.html
security@mozilla.orghttps://access.redhat.com/errata/RHSA-2020:0085Third Party Advisory
security@mozilla.orghttps://access.redhat.com/errata/RHSA-2020:0086Third Party Advisory
security@mozilla.orghttps://access.redhat.com/errata/RHSA-2020:0111
security@mozilla.orghttps://access.redhat.com/errata/RHSA-2020:0120
security@mozilla.orghttps://access.redhat.com/errata/RHSA-2020:0123
security@mozilla.orghttps://access.redhat.com/errata/RHSA-2020:0127
security@mozilla.orghttps://access.redhat.com/errata/RHSA-2020:0292
security@mozilla.orghttps://access.redhat.com/errata/RHSA-2020:0295
security@mozilla.orghttps://bugzilla.mozilla.org/show_bug.cgi?id=1599181Permissions Required
security@mozilla.orghttps://lists.debian.org/debian-lts-announce/2020/01/msg00005.htmlMailing List, Third Party Advisory
security@mozilla.orghttps://lists.debian.org/debian-lts-announce/2020/01/msg00016.html
security@mozilla.orghttps://seclists.org/bugtraq/2020/Jan/12Mailing List, Third Party Advisory
security@mozilla.orghttps://seclists.org/bugtraq/2020/Jan/18Mailing List, Third Party Advisory
security@mozilla.orghttps://seclists.org/bugtraq/2020/Jan/26
security@mozilla.orghttps://security.gentoo.org/glsa/202003-02
security@mozilla.orghttps://usn.ubuntu.com/4234-1/Third Party Advisory
security@mozilla.orghttps://usn.ubuntu.com/4241-1/
security@mozilla.orghttps://usn.ubuntu.com/4335-1/
security@mozilla.orghttps://www.debian.org/security/2020/dsa-4600Third Party Advisory
security@mozilla.orghttps://www.debian.org/security/2020/dsa-4603
security@mozilla.orghttps://www.mozilla.org/security/advisories/mfsa2020-01/Vendor Advisory
security@mozilla.orghttps://www.mozilla.org/security/advisories/mfsa2020-02/Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00029.html
af854a3a-2127-422b-91ae-364da2661108http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00043.html
af854a3a-2127-422b-91ae-364da2661108http://packetstormsecurity.com/files/155912/Slackware-Security-Advisory-mozilla-thunderbird-Updates.html
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2020:0085Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2020:0086Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2020:0111
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2020:0120
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2020:0123
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2020:0127
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2020:0292
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2020:0295
af854a3a-2127-422b-91ae-364da2661108https://bugzilla.mozilla.org/show_bug.cgi?id=1599181Permissions Required
af854a3a-2127-422b-91ae-364da2661108https://lists.debian.org/debian-lts-announce/2020/01/msg00005.htmlMailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://lists.debian.org/debian-lts-announce/2020/01/msg00016.html
af854a3a-2127-422b-91ae-364da2661108https://seclists.org/bugtraq/2020/Jan/12Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://seclists.org/bugtraq/2020/Jan/18Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://seclists.org/bugtraq/2020/Jan/26
af854a3a-2127-422b-91ae-364da2661108https://security.gentoo.org/glsa/202003-02
af854a3a-2127-422b-91ae-364da2661108https://usn.ubuntu.com/4234-1/Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://usn.ubuntu.com/4241-1/
af854a3a-2127-422b-91ae-364da2661108https://usn.ubuntu.com/4335-1/
af854a3a-2127-422b-91ae-364da2661108https://www.debian.org/security/2020/dsa-4600Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.debian.org/security/2020/dsa-4603
af854a3a-2127-422b-91ae-364da2661108https://www.mozilla.org/security/advisories/mfsa2020-01/Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.mozilla.org/security/advisories/mfsa2020-02/Vendor Advisory
Impacted products
Vendor Product Version
Mozilla Firefox Version: before 72
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T01:24:48.588Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1599181"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.mozilla.org/security/advisories/mfsa2020-01/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.mozilla.org/security/advisories/mfsa2020-02/"
          },
          {
            "name": "20200109 [SECURITY] [DSA 4600-1] firefox-esr security update",
            "tags": [
              "mailing-list",
              "x_refsource_BUGTRAQ",
              "x_transferred"
            ],
            "url": "https://seclists.org/bugtraq/2020/Jan/12"
          },
          {
            "name": "[debian-lts-announce] 20200109 [SECURITY] [DLA 2061-1] firefox-esr security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2020/01/msg00005.html"
          },
          {
            "name": "DSA-4600",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2020/dsa-4600"
          },
          {
            "name": "USN-4234-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/4234-1/"
          },
          {
            "name": "20200112 [slackware-security] mozilla-thunderbird (SSA:2020-010-01)",
            "tags": [
              "mailing-list",
              "x_refsource_BUGTRAQ",
              "x_transferred"
            ],
            "url": "https://seclists.org/bugtraq/2020/Jan/18"
          },
          {
            "name": "RHSA-2020:0085",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2020:0085"
          },
          {
            "name": "RHSA-2020:0086",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2020:0086"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/155912/Slackware-Security-Advisory-mozilla-thunderbird-Updates.html"
          },
          {
            "name": "RHSA-2020:0111",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2020:0111"
          },
          {
            "name": "openSUSE-SU-2020:0060",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00029.html"
          },
          {
            "name": "RHSA-2020:0120",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2020:0120"
          },
          {
            "name": "RHSA-2020:0123",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2020:0123"
          },
          {
            "name": "RHSA-2020:0127",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2020:0127"
          },
          {
            "name": "USN-4241-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/4241-1/"
          },
          {
            "name": "DSA-4603",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2020/dsa-4603"
          },
          {
            "name": "20200120 [SECURITY] [DSA 4603-1] thunderbird security update",
            "tags": [
              "mailing-list",
              "x_refsource_BUGTRAQ",
              "x_transferred"
            ],
            "url": "https://seclists.org/bugtraq/2020/Jan/26"
          },
          {
            "name": "[debian-lts-announce] 20200120 [SECURITY] [DLA 2071-1] thunderbird security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2020/01/msg00016.html"
          },
          {
            "name": "openSUSE-SU-2020:0094",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00043.html"
          },
          {
            "name": "RHSA-2020:0292",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2020:0292"
          },
          {
            "name": "RHSA-2020:0295",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2020:0295"
          },
          {
            "name": "GLSA-202003-02",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202003-02"
          },
          {
            "name": "USN-4335-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/4335-1/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Firefox ESR",
          "vendor": "Mozilla",
          "versions": [
            {
              "status": "affected",
              "version": "before 68.4"
            }
          ]
        },
        {
          "product": "Firefox",
          "vendor": "Mozilla",
          "versions": [
            {
              "status": "affected",
              "version": "before 72"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "When pasting a \u0026lt;style\u0026gt; tag from the clipboard into a rich text editor, the CSS sanitizer incorrectly rewrites a @namespace rule. This could allow for injection into certain types of websites resulting in data exfiltration. This vulnerability affects Firefox ESR \u003c 68.4 and Firefox \u003c 72."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Bypass of @namespace CSS sanitization during pasting",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-04-29T02:06:52",
        "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
        "shortName": "mozilla"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1599181"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.mozilla.org/security/advisories/mfsa2020-01/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.mozilla.org/security/advisories/mfsa2020-02/"
        },
        {
          "name": "20200109 [SECURITY] [DSA 4600-1] firefox-esr security update",
          "tags": [
            "mailing-list",
            "x_refsource_BUGTRAQ"
          ],
          "url": "https://seclists.org/bugtraq/2020/Jan/12"
        },
        {
          "name": "[debian-lts-announce] 20200109 [SECURITY] [DLA 2061-1] firefox-esr security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2020/01/msg00005.html"
        },
        {
          "name": "DSA-4600",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2020/dsa-4600"
        },
        {
          "name": "USN-4234-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "https://usn.ubuntu.com/4234-1/"
        },
        {
          "name": "20200112 [slackware-security] mozilla-thunderbird (SSA:2020-010-01)",
          "tags": [
            "mailing-list",
            "x_refsource_BUGTRAQ"
          ],
          "url": "https://seclists.org/bugtraq/2020/Jan/18"
        },
        {
          "name": "RHSA-2020:0085",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2020:0085"
        },
        {
          "name": "RHSA-2020:0086",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2020:0086"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://packetstormsecurity.com/files/155912/Slackware-Security-Advisory-mozilla-thunderbird-Updates.html"
        },
        {
          "name": "RHSA-2020:0111",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2020:0111"
        },
        {
          "name": "openSUSE-SU-2020:0060",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00029.html"
        },
        {
          "name": "RHSA-2020:0120",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2020:0120"
        },
        {
          "name": "RHSA-2020:0123",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2020:0123"
        },
        {
          "name": "RHSA-2020:0127",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2020:0127"
        },
        {
          "name": "USN-4241-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "https://usn.ubuntu.com/4241-1/"
        },
        {
          "name": "DSA-4603",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2020/dsa-4603"
        },
        {
          "name": "20200120 [SECURITY] [DSA 4603-1] thunderbird security update",
          "tags": [
            "mailing-list",
            "x_refsource_BUGTRAQ"
          ],
          "url": "https://seclists.org/bugtraq/2020/Jan/26"
        },
        {
          "name": "[debian-lts-announce] 20200120 [SECURITY] [DLA 2071-1] thunderbird security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2020/01/msg00016.html"
        },
        {
          "name": "openSUSE-SU-2020:0094",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00043.html"
        },
        {
          "name": "RHSA-2020:0292",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2020:0292"
        },
        {
          "name": "RHSA-2020:0295",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2020:0295"
        },
        {
          "name": "GLSA-202003-02",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "https://security.gentoo.org/glsa/202003-02"
        },
        {
          "name": "USN-4335-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "https://usn.ubuntu.com/4335-1/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@mozilla.org",
          "ID": "CVE-2019-17016",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Firefox ESR",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "before 68.4"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Firefox",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "before 72"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Mozilla"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "When pasting a \u0026lt;style\u0026gt; tag from the clipboard into a rich text editor, the CSS sanitizer incorrectly rewrites a @namespace rule. This could allow for injection into certain types of websites resulting in data exfiltration. This vulnerability affects Firefox ESR \u003c 68.4 and Firefox \u003c 72."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Bypass of @namespace CSS sanitization during pasting"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://bugzilla.mozilla.org/show_bug.cgi?id=1599181",
              "refsource": "MISC",
              "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1599181"
            },
            {
              "name": "https://www.mozilla.org/security/advisories/mfsa2020-01/",
              "refsource": "CONFIRM",
              "url": "https://www.mozilla.org/security/advisories/mfsa2020-01/"
            },
            {
              "name": "https://www.mozilla.org/security/advisories/mfsa2020-02/",
              "refsource": "CONFIRM",
              "url": "https://www.mozilla.org/security/advisories/mfsa2020-02/"
            },
            {
              "name": "20200109 [SECURITY] [DSA 4600-1] firefox-esr security update",
              "refsource": "BUGTRAQ",
              "url": "https://seclists.org/bugtraq/2020/Jan/12"
            },
            {
              "name": "[debian-lts-announce] 20200109 [SECURITY] [DLA 2061-1] firefox-esr security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2020/01/msg00005.html"
            },
            {
              "name": "DSA-4600",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2020/dsa-4600"
            },
            {
              "name": "USN-4234-1",
              "refsource": "UBUNTU",
              "url": "https://usn.ubuntu.com/4234-1/"
            },
            {
              "name": "20200112 [slackware-security] mozilla-thunderbird (SSA:2020-010-01)",
              "refsource": "BUGTRAQ",
              "url": "https://seclists.org/bugtraq/2020/Jan/18"
            },
            {
              "name": "RHSA-2020:0085",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2020:0085"
            },
            {
              "name": "RHSA-2020:0086",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2020:0086"
            },
            {
              "name": "http://packetstormsecurity.com/files/155912/Slackware-Security-Advisory-mozilla-thunderbird-Updates.html",
              "refsource": "MISC",
              "url": "http://packetstormsecurity.com/files/155912/Slackware-Security-Advisory-mozilla-thunderbird-Updates.html"
            },
            {
              "name": "RHSA-2020:0111",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2020:0111"
            },
            {
              "name": "openSUSE-SU-2020:0060",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00029.html"
            },
            {
              "name": "RHSA-2020:0120",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2020:0120"
            },
            {
              "name": "RHSA-2020:0123",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2020:0123"
            },
            {
              "name": "RHSA-2020:0127",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2020:0127"
            },
            {
              "name": "USN-4241-1",
              "refsource": "UBUNTU",
              "url": "https://usn.ubuntu.com/4241-1/"
            },
            {
              "name": "DSA-4603",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2020/dsa-4603"
            },
            {
              "name": "20200120 [SECURITY] [DSA 4603-1] thunderbird security update",
              "refsource": "BUGTRAQ",
              "url": "https://seclists.org/bugtraq/2020/Jan/26"
            },
            {
              "name": "[debian-lts-announce] 20200120 [SECURITY] [DLA 2071-1] thunderbird security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2020/01/msg00016.html"
            },
            {
              "name": "openSUSE-SU-2020:0094",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00043.html"
            },
            {
              "name": "RHSA-2020:0292",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2020:0292"
            },
            {
              "name": "RHSA-2020:0295",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2020:0295"
            },
            {
              "name": "GLSA-202003-02",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/202003-02"
            },
            {
              "name": "USN-4335-1",
              "refsource": "UBUNTU",
              "url": "https://usn.ubuntu.com/4335-1/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
    "assignerShortName": "mozilla",
    "cveId": "CVE-2019-17016",
    "datePublished": "2020-01-08T21:27:03",
    "dateReserved": "2019-09-30T00:00:00",
    "dateUpdated": "2024-08-05T01:24:48.588Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2019-17016\",\"sourceIdentifier\":\"security@mozilla.org\",\"published\":\"2020-01-08T22:15:12.277\",\"lastModified\":\"2024-11-21T04:31:32.987\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"When pasting a \u0026lt;style\u0026gt; tag from the clipboard into a rich text editor, the CSS sanitizer incorrectly rewrites a @namespace rule. This could allow for injection into certain types of websites resulting in data exfiltration. This vulnerability affects Firefox ESR \u003c 68.4 and Firefox \u003c 72.\"},{\"lang\":\"es\",\"value\":\"Al pegar un \u0026lt;style\u0026gt; etiqueta del portapapeles en un editor de texto enriquecido, el saneador CSS reescribe incorrectamente una regla @namespace. Esto podr\u00eda permitir una inyecci\u00f3n en ciertos tipos de sitios web resultando en la filtraci\u00f3n de datos. Esta vulnerabilidad afecta a Firefox ESR versiones anteriores a la versi\u00f3n  68.4 y Firefox versiones anteriores a la versi\u00f3n 72.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:N/I:P/A:N\",\"baseScore\":4.3,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"72.0\",\"matchCriteriaId\":\"1398139B-C837-4BF4-8555-5D722B91F646\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"68.4\",\"matchCriteriaId\":\"ACE15104-6EDD-46EA-9596-28FEB99B563F\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DEECE5FC-CACF-4496-A3E7-164736409252\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"07B237A9-69A3-4A9C-9DA0-4E06BD37AE73\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*\",\"matchCriteriaId\":\"F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*\",\"matchCriteriaId\":\"23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"CD783B0C-9246-47D9-A937-6144FE8BFF0F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A31C8344-3E02-4EB8-8BD8-4C84B7959624\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"EE249E1B-A1FD-4E08-AA71-A0E1F10FFE97\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"33C068A4-3780-4EAB-A937-6082DF847564\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9BBCD86A-E6C7-4444-9D74-F861084090F0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"51EF4996-72F4-4FA4-814F-F5991E7A8318\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux_server_aus:7.7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7431ABC1-9252-419E-8CC1-311B41360078\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux_server_tus:7.7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"17F256A9-D3B9-4C72-B013-4EFD878BFEA8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E5ED5807-55B7-47C5-97A6-03233F4FBC3A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"825ECE2D-E232-46E0-A047-074B34DB1E97\"}]}]}],\"references\":[{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00029.html\",\"source\":\"security@mozilla.org\"},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00043.html\",\"source\":\"security@mozilla.org\"},{\"url\":\"http://packetstormsecurity.com/files/155912/Slackware-Security-Advisory-mozilla-thunderbird-Updates.html\",\"source\":\"security@mozilla.org\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2020:0085\",\"source\":\"security@mozilla.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2020:0086\",\"source\":\"security@mozilla.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2020:0111\",\"source\":\"security@mozilla.org\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2020:0120\",\"source\":\"security@mozilla.org\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2020:0123\",\"source\":\"security@mozilla.org\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2020:0127\",\"source\":\"security@mozilla.org\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2020:0292\",\"source\":\"security@mozilla.org\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2020:0295\",\"source\":\"security@mozilla.org\"},{\"url\":\"https://bugzilla.mozilla.org/show_bug.cgi?id=1599181\",\"source\":\"security@mozilla.org\",\"tags\":[\"Permissions Required\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2020/01/msg00005.html\",\"source\":\"security@mozilla.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2020/01/msg00016.html\",\"source\":\"security@mozilla.org\"},{\"url\":\"https://seclists.org/bugtraq/2020/Jan/12\",\"source\":\"security@mozilla.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://seclists.org/bugtraq/2020/Jan/18\",\"source\":\"security@mozilla.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://seclists.org/bugtraq/2020/Jan/26\",\"source\":\"security@mozilla.org\"},{\"url\":\"https://security.gentoo.org/glsa/202003-02\",\"source\":\"security@mozilla.org\"},{\"url\":\"https://usn.ubuntu.com/4234-1/\",\"source\":\"security@mozilla.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://usn.ubuntu.com/4241-1/\",\"source\":\"security@mozilla.org\"},{\"url\":\"https://usn.ubuntu.com/4335-1/\",\"source\":\"security@mozilla.org\"},{\"url\":\"https://www.debian.org/security/2020/dsa-4600\",\"source\":\"security@mozilla.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.debian.org/security/2020/dsa-4603\",\"source\":\"security@mozilla.org\"},{\"url\":\"https://www.mozilla.org/security/advisories/mfsa2020-01/\",\"source\":\"security@mozilla.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.mozilla.org/security/advisories/mfsa2020-02/\",\"source\":\"security@mozilla.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00029.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00043.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://packetstormsecurity.com/files/155912/Slackware-Security-Advisory-mozilla-thunderbird-Updates.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2020:0085\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2020:0086\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2020:0111\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2020:0120\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2020:0123\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2020:0127\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2020:0292\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2020:0295\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://bugzilla.mozilla.org/show_bug.cgi?id=1599181\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Permissions Required\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2020/01/msg00005.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2020/01/msg00016.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://seclists.org/bugtraq/2020/Jan/12\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://seclists.org/bugtraq/2020/Jan/18\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://seclists.org/bugtraq/2020/Jan/26\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://security.gentoo.org/glsa/202003-02\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://usn.ubuntu.com/4234-1/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://usn.ubuntu.com/4241-1/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://usn.ubuntu.com/4335-1/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.debian.org/security/2020/dsa-4600\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.debian.org/security/2020/dsa-4603\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.mozilla.org/security/advisories/mfsa2020-01/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.mozilla.org/security/advisories/mfsa2020-02/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.