CVE-2019-11720 — Cross-site Scripting in Mozilla Firefox

CWE-79 — Cross-site Scripting CWE-172 — Encoding Error10 documents7 sources

Severity

6.1MEDIUMNVD

OSV9.8

EPSS

0.7%

top 26.95%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Debian Firefox Opensuse Leap

Timeline

PublishedJul 23

Latest updateMay 24

Description

Some unicode characters are incorrectly treated as whitespace during the parsing of web content instead of triggering parsing errors. This allows malicious code to then be processed, evading cross-site scripting (XSS) filtering. This vulnerability affects Firefox < 68.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages5 packages

▶debiandebian/firefox< firefox 68.0-1 (sid)

▶CVEListV5mozilla/firefoxunspecified — 68

▶NVDmozilla/firefox< 68.0

▶Ubuntumozilla/firefox< 68.0+build3-0ubuntu0.16.04.1+3

▶NVDopensuse/leap15.0, 15.1+1

🔴Vulnerability Details

GHSA

GHSA-c4xq-jjr6-4q6x: Some unicode characters are incorrectly treated as whitespace during the parsing of web content instead of triggering parsing errors↗2022-05-24

▶

OSV

firefox regressions↗2019-07-25

▶

OSV

firefox vulnerabilities↗2019-07-12

▶

OSV

CVE-2019-11720: Some unicode characters are incorrectly treated as whitespace during the parsing of web content instead of triggering parsing errors↗2019-07-11

▶

📋Vendor Advisories

Ubuntu

Firefox regressions↗2019-07-25

▶

Ubuntu

Firefox vulnerabilities↗2019-07-12

▶

Red Hat

Mozilla: Character encoding XSS vulnerability↗2019-07-09

▶

Debian

CVE-2019-11720: firefox - Some unicode characters are incorrectly treated as whitespace during the parsing...↗2019

▶

💬Community

Bugzilla

CVE-2019-11720 Mozilla: Character encoding XSS vulnerability↗2019-07-18

▶