CVE-2019-17020XML External Entity (XXE) Injection in Mozilla Firefox

CWE-611XML External Entity (XXE) InjectionCWE-20Improper Input Validation8 documents8 sources
Severity
6.5MEDIUMNVD
EPSS
0.2%
top 53.94%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Mozilla FirefoxDebian FirefoxCanonical Ubuntu Linux
Timeline
PublishedJan 8
Latest updateMay 24

Description

If an XML file is served with a Content Security Policy and the XML file includes an XSL stylesheet, the Content Security Policy will not be applied to the contents of the XSL stylesheet. If the XSL sheet e.g. includes JavaScript, it would bypass any of the restrictions of the Content Security Policy applied to the XML document. This vulnerability affects Firefox < 72.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages5 packages

debiandebian/firefox< firefox 72.0-1 (sid)
NVDmozilla/firefox< 72.0
Ubuntumozilla/firefox< 72.0.1+build1-0ubuntu0.16.04.1+2
CVEListV5mozilla/firefoxbefore 72
mozillamozilla/firefox

Also affects: Ubuntu Linux 16.04, 18.04, 19.04, 19.10

🔴Vulnerability Details

2
GHSA
GHSA-p8vh-p3hc-xm35: If an XML file is served with a Content Security Policy and the XML file includes an XSL stylesheet, the Content Security Policy will not be applied t2022-05-24
OSV
CVE-2019-17020: If an XML file is served with a Content Security Policy and the XML file includes an XSL stylesheet, the Content Security Policy will not be applied t2020-01-08

📋Vendor Advisories

4
Red Hat
Mozilla: Content Security Policy bypass for XSL stylesheet2020-01-14
Ubuntu
Firefox vulnerabilities2020-01-09
Debian
CVE-2019-17020: firefox - If an XML file is served with a Content Security Policy and the XML file include...2019
Mozilla
Mozilla Foundation Security Advisory 2020-01: CVE-2019-17020

💬Community

1
Bugzilla
CVE-2019-17020 Mozilla: Content Security Policy bypass for XSL stylesheet2020-01-14