CVE-2019-17022: When pasting a tag from the clipboard into a rich text editor, the CSS sanitizer does not escape characters. Because the resulting string is pasted directly…

medium6.1CVSS 3.1

AVNACLPRNUIRSCCLILAN

When pasting a tag from the clipboard into a rich text editor, the CSS sanitizer does not escape characters. Because the resulting string is pasted directly into the text node of the element this does not result in a direct injection into the webpage; however, if a webpage subsequently copies the node's innerHTML, assigning it to another innerHTML, this would result in an XSS vulnerability. Two WYSIWYG editors were identified with this behavior, more may exist. This vulnerability affects Firefox ESR < 68.4 and Firefox < 72.

Affected

29 ranges· showing 25

Vendor	Product	Version range	Fixed in
canonical	ubuntu_linux	—	—
canonical	ubuntu_linux	—	—
canonical	ubuntu_linux	—	—
canonical	ubuntu_linux	—	—
debian	debian_linux	—	—
debian	debian_linux	—	—
debian	debian_linux	—	—
debian	firefox	< firefox 72.0-1 (sid)	firefox 72.0-1 (sid)
debian	firefox-esr	< firefox 72.0-1 (sid)	firefox 72.0-1 (sid)
debian	thunderbird	< firefox 72.0-1 (sid)	firefox 72.0-1 (sid)
mozilla	firefox	< 72.0	72.0
mozilla	firefox	—	—
mozilla	firefox	—	—
mozilla	firefox_esr	< 68.4	68.4
mozilla	firefox_esr	—	—
mozilla	thunderbird	>= 0 < 1:68.4.1-1	1:68.4.1-1
mozilla	thunderbird	>= 0 < 1:68.4.1-1	1:68.4.1-1
mozilla	thunderbird	>= 0 < 1:68.4.1-1	1:68.4.1-1
mozilla	thunderbird	>= 0 < 1:68.4.1-1	1:68.4.1-1
mozilla	thunderbird	>= 0 < 1:68.7.0+build1-0ubuntu0.16.04.2	1:68.7.0+build1-0ubuntu0.16.04.2
mozilla	thunderbird	>= 0 < 1:68.4.1+build1-0ubuntu0.18.04.1	1:68.4.1+build1-0ubuntu0.18.04.1
redhat	enterprise_linux_desktop	—	—
redhat	enterprise_linux_desktop	—	—
redhat	enterprise_linux_server	—	—
redhat	enterprise_linux_server	—	—

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

osv8.8HIGH