CVE-2019-11718Injection in Mozilla Firefox

CWE-74InjectionCWE-138Improper Neutralization of Special Elements10 documents7 sources
Severity
5.3MEDIUMNVD
OSV9.8
EPSS
0.6%
top 30.10%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Mozilla FirefoxDebian FirefoxOpensuse Leap
Timeline
PublishedJul 23
Latest updateMay 24

Description

Activity Stream can display content from sent from the Snippet Service website. This content is written to innerHTML on the Activity Stream page without sanitization, allowing for a potential access to other information available to the Activity Stream, such as browsing history, if the Snipper Service were compromised. This vulnerability affects Firefox < 68.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages5 packages

debiandebian/firefox< firefox 68.0-1 (sid)
CVEListV5mozilla/firefoxunspecified68
NVDmozilla/firefox< 68.0
Ubuntumozilla/firefox< 68.0+build3-0ubuntu0.16.04.1+3
NVDopensuse/leap15.0, 15.1+1

🔴Vulnerability Details

4
GHSA
GHSA-qp25-xm2x-r33g: Activity Stream can display content from sent from the Snippet Service website2022-05-24
OSV
firefox regressions2019-07-25
OSV
firefox vulnerabilities2019-07-12
OSV
CVE-2019-11718: Activity Stream can display content from sent from the Snippet Service website2019-07-11

📋Vendor Advisories

4
Ubuntu
Firefox regressions2019-07-25
Ubuntu
Firefox vulnerabilities2019-07-12
Red Hat
Mozilla: Activity Stream writes unsanitized content to innerHTML2019-07-09
Debian
CVE-2019-11718: firefox - Activity Stream can display content from sent from the Snippet Service website. ...2019

💬Community

1
Bugzilla
CVE-2019-11718 Mozilla: Activity Stream writes unsanitized content to innerHTML2019-07-18