CVE-2019-17002 — Improper Input Validation in Mozilla Firefox

CWE-20 — Improper Input Validation5 documents5 sources

Severity

4.3MEDIUMNVD

EPSS

0.3%

top 48.16%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Debian Firefox

Timeline

PublishedJan 8

Latest updateMay 24

Description

If upgrade-insecure-requests was specified in the Content Security Policy, and a link was dragged and dropped from that page, the link was not upgraded to https. This vulnerability affects Firefox < 70.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages4 packages

▶debiandebian/firefox< firefox 70.0-1 (sid)

▶NVDmozilla/firefox< 70.0

▶Ubuntumozilla/firefox< 70.0+build2-0ubuntu0.16.04.1+2

▶CVEListV5mozilla/firefoxbefore 70

🔴Vulnerability Details

GHSA

GHSA-hqww-p73m-wmm6: If upgrade-insecure-requests was specified in the Content Security Policy, and a link was dragged and dropped from that page, the link was not upgrade↗2022-05-24

▶

OSV

CVE-2019-17002: If upgrade-insecure-requests was specified in the Content Security Policy, and a link was dragged and dropped from that page, the link was not upgrade↗2019-10-23

▶

📋Vendor Advisories

Ubuntu

Firefox vulnerabilities↗2019-10-23

▶

Debian

CVE-2019-17002: firefox - If upgrade-insecure-requests was specified in the Content Security Policy, and a...↗2019

▶