CVE-2019-17016 — Cross-site Scripting in Mozilla Firefox
Severity
6.1MEDIUMNVD
OSV8.8
EPSS
3.5%
top 12.45%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedJan 8
Latest updateMay 24
Description
When pasting a tag from the clipboard into a rich text editor, the CSS sanitizer incorrectly rewrites a @namespace rule. This could allow for injection into certain types of websites resulting in data exfiltration. This vulnerability affects Firefox ESR < 68.4 and Firefox < 72.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7
Affected Packages9 packages
Also affects: Debian Linux 10.0, 8.0, 9.0, Ubuntu Linux 16.04, 18.04, 19.04, 19.10, Enterprise Linux 7.7
🔴Vulnerability Details
5GHSA▶
GHSA-w7r7-7cjm-rq4q: When pasting a tag from the clipboard into a rich text editor, the CSS sanitizer incorrectly rewrites a @namespace rule↗2022-05-24
OSV▶
CVE-2019-17016: When pasting a tag from the clipboard into a rich text editor, the CSS sanitizer incorrectly rewrites a @namespace rule↗2020-01-08
CVEList▶
CVE-2019-17016: When pasting a tag from the clipboard into a rich text editor, the CSS sanitizer incorrectly rewrites a @namespace rule↗2020-01-08
📋Vendor Advisories
8Debian▶
CVE-2019-17016: firefox - When pasting a <style> tag from the clipboard into a rich text editor, the...↗2019