CVE-2019-11738 — Incorrect Default Permissions in Mozilla Firefox
Severity
6.3MEDIUMNVD
OSV9.8
EPSS
0.6%
top 30.93%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedSep 27
Latest updateMay 24
Description
If a Content Security Policy (CSP) directive is defined that uses a hash-based source that takes the empty string as input, execution of any javascript: URIs will be allowed. This could allow for malicious JavaScript content to be run, bypassing CSP permissions. This vulnerability affects Firefox < 69 and Firefox ESR < 68.1.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:LExploitability: 2.8 | Impact: 3.4
Affected Packages8 packages
🔴Vulnerability Details
4GHSA▶
GHSA-v2rv-c5w8-f538: If a Content Security Policy (CSP) directive is defined that uses a hash-based source that takes the empty string as input, execution of any javascrip↗2022-05-24
OSV▶
CVE-2019-11738: If a Content Security Policy (CSP) directive is defined that uses a hash-based source that takes the empty string as input, execution of any javascrip↗2019-09-27