CVE-2019-11744 — Cross-site Scripting in Mozilla Firefox

CWE-79 — Cross-site Scripting13 documents7 sources

Severity

6.1MEDIUMNVD

OSV9.8OSV6.5

EPSS

0.7%

top 28.88%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Mozilla Firefox ESR Mozilla Thunderbird +3 more

Timeline

PublishedSep 27

Latest updateMay 24

Description

Some HTML elements, such as and , can contain literal angle brackets without treating them as markup. It is possible to pass a literal closing tag to .innerHTML on these elements, and subsequent content after that will be parsed as if it were outside the tag. This can lead to XSS if a site does not filter user input as strictly for these elements as it does for other elements. This vulnerability affects Firefox < 69, Thunderbird < 68.1, Thunderbird < 60.9, Firefox ESR < 60.9, and Firefox ESR < 6…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages11 packages

▶debiandebian/firefox< firefox 69.0-1 (sid)

▶CVEListV5mozilla/firefoxunspecified — 69

▶NVDmozilla/firefox68.0 — 68.1+2

▶debiandebian/firefox-esr< firefox 69.0-1 (sid)

▶CVEListV5mozilla/firefox_esrunspecified — 60.9+1

🔴Vulnerability Details

GHSA

GHSA-gf55-vpjv-mh2j: Some HTML elements, such as and , can contain literal angle brackets without treating them as markup↗2022-05-24

▶

OSV

thunderbird vulnerabilities↗2019-10-08

▶

OSV

firefox regression↗2019-10-08

▶

OSV

CVE-2019-11744: Some HTML elements, such as and , can contain literal angle brackets without treating them as markup↗2019-09-27

▶

OSV

firefox vulnerabilities↗2019-09-04

▶

📋Vendor Advisories

Ubuntu

Thunderbird vulnerabilities↗2019-10-08

▶

Ubuntu

Firefox regression↗2019-10-08

▶

Ubuntu

Firefox vulnerabilities↗2019-09-04

▶

Red Hat

Mozilla: XSS by breaking out of title and textarea elements using innerHTML↗2019-09-03

▶

Debian

CVE-2019-11744: firefox - Some HTML elements, such as <title> and <textarea>, can contain lite...↗2019

▶

💬Community

Bugzilla

CVE-2019-11744 Mozilla: XSS by breaking out of title and textarea elements using innerHTML↗2019-09-04

▶

Bugzilla

Firefox 69.0 is available↗2019-09-03

▶