CVE-2019-17016

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

When pasting a &lt;style&gt; tag from the clipboard into a rich text editor, the CSS sanitizer incorrectly rewrites a @namespace rule. This could allow for injection into certain types of websites resulting in data exfiltration. This vulnerability affects Firefox ESR < 68.4 and Firefox < 72.

References

http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00029.html

http://packetstormsecurity.com/files/155912/Slackware-Security-Advisory-mozilla-thunderbird-Updates.html

https://access.redhat.com/errata/RHSA-2020:0085

https://access.redhat.com/errata/RHSA-2020:0086

https://access.redhat.com/errata/RHSA-2020:0111

https://access.redhat.com/errata/RHSA-2020:0120

https://access.redhat.com/errata/RHSA-2020:0123

https://access.redhat.com/errata/RHSA-2020:0127

https://bugzilla.mozilla.org/show_bug.cgi?id=1599181

https://lists.debian.org/debian-lts-announce/2020/01/msg00005.html

https://lists.debian.org/debian-lts-announce/2020/01/msg00016.html

https://seclists.org/bugtraq/2020/Jan/12

https://seclists.org/bugtraq/2020/Jan/18

https://seclists.org/bugtraq/2020/Jan/26

https://usn.ubuntu.com/4234-1/

https://usn.ubuntu.com/4241-1/

https://www.debian.org/security/2020/dsa-4600

https://www.debian.org/security/2020/dsa-4603

https://www.mozilla.org/security/advisories/mfsa2020-01/

https://www.mozilla.org/security/advisories/mfsa2020-02/

Details

Source: MITRE

Published: 2020-01-08

Updated: 2020-01-13

Type: CWE-79

Risk Information

CVSS v2

Base Score: 4.3

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

Impact Score: 2.9

Exploitability Score: 8.6

Severity: MEDIUM

CVSS v3

Base Score: 6.1

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Impact Score: 2.7

Exploitability Score: 2.8

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*

Configuration 2

OR

cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

Configuration 3

OR

cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*

Configuration 4

OR

cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server_aus:7.7:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server_tus:7.7:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*

Tenable Plugins

View all (50 total)

IDNameProductFamilySeverity
150661SUSE SLES11 Security Update : MozillaFirefox (SUSE-SU-2020:14268-1)NessusSuSE Local Security Checks
high
147407NewStart CGSL MAIN 4.06 : firefox Multiple Vulnerabilities (NS-SA-2021-0004)NessusNewStart CGSL Local Security Checks
critical
147312NewStart CGSL MAIN 4.06 : thunderbird Multiple Vulnerabilities (NS-SA-2021-0002)NessusNewStart CGSL Local Security Checks
critical
145921CentOS 8 : firefox (CESA-2020:0111)NessusCentOS Local Security Checks
high
143979NewStart CGSL CORE 5.05 / MAIN 5.05 : thunderbird Multiple Vulnerabilities (NS-SA-2020-0093)NessusNewStart CGSL Local Security Checks
critical
143948NewStart CGSL CORE 5.05 / MAIN 5.05 : firefox Multiple Vulnerabilities (NS-SA-2020-0097)NessusNewStart CGSL Local Security Checks
critical
140291NewStart CGSL MAIN 4.05 : thunderbird Multiple Vulnerabilities (NS-SA-2020-0046)NessusNewStart CGSL Local Security Checks
critical
140283NewStart CGSL MAIN 4.05 : firefox Multiple Vulnerabilities (NS-SA-2020-0047)NessusNewStart CGSL Local Security Checks
critical
135896Ubuntu 16.04 LTS : Thunderbird vulnerabilities (USN-4335-1)NessusUbuntu Local Security Checks
critical
134469GLSA-202003-02 : Mozilla Firefox: Multiple vulnerabilitiesNessusGentoo Local Security Checks
critical
134325NewStart CGSL CORE 5.04 / MAIN 5.04 : firefox Multiple Vulnerabilities (NS-SA-2020-0011)NessusNewStart CGSL Local Security Checks
high
134321NewStart CGSL CORE 5.04 / MAIN 5.04 : thunderbird Multiple Vulnerabilities (NS-SA-2020-0010)NessusNewStart CGSL Local Security Checks
high
133652Amazon Linux 2 : thunderbird (ALAS-2020-1393)NessusAmazon Linux Local Security Checks
high
133386RHEL 8 : firefox (RHSA-2020:0295)NessusRed Hat Local Security Checks
high
133384RHEL 8 : thunderbird (RHSA-2020:0292)NessusRed Hat Local Security Checks
high
133199openSUSE Security Update : MozillaThunderbird (openSUSE-2020-94)NessusSuSE Local Security Checks
high
133153Oracle Linux 8 : thunderbird (ELSA-2020-0127)NessusOracle Linux Local Security Checks
high
133129Scientific Linux Security Update : thunderbird on SL7.x x86_64 (20200116)NessusScientific Linux Local Security Checks
high
133128Scientific Linux Security Update : thunderbird on SL6.x i386/x86_64 (20200116)NessusScientific Linux Local Security Checks
high
133106Debian DSA-4603-1 : thunderbird - security updateNessusDebian Local Security Checks
high
133104Debian DLA-2071-1 : thunderbird security updateNessusDebian Local Security Checks
high
133099CentOS 6 : thunderbird (CESA-2020:0123)NessusCentOS Local Security Checks
high
133097CentOS 7 : thunderbird (CESA-2020:0120)NessusCentOS Local Security Checks
high
133040Ubuntu 18.04 LTS / 19.10 : Thunderbird vulnerabilities (USN-4241-1)NessusUbuntu Local Security Checks
high
133026RHEL 8 : thunderbird (RHSA-2020:0127)NessusRed Hat Local Security Checks
high
133024RHEL 6 : thunderbird (RHSA-2020:0123)NessusRed Hat Local Security Checks
high
133022RHEL 7 : thunderbird (RHSA-2020:0120)NessusRed Hat Local Security Checks
high
133019Oracle Linux 7 : thunderbird (ELSA-2020-0120)NessusOracle Linux Local Security Checks
high
132949openSUSE Security Update : MozillaFirefox (openSUSE-2020-60)NessusSuSE Local Security Checks
high
132944Oracle Linux 8 : firefox (ELSA-2020-0111)NessusOracle Linux Local Security Checks
high
132939CentOS 7 : firefox (CESA-2020:0085)NessusCentOS Local Security Checks
high
132921SUSE SLED15 / SLES15 Security Update : MozillaFirefox (SUSE-SU-2020:0078-1)NessusSuSE Local Security Checks
high
132889Scientific Linux Security Update : firefox on SL7.x x86_64 (20200113)NessusScientific Linux Local Security Checks
high
132888Scientific Linux Security Update : firefox on SL6.x i386/x86_64 (20200113)NessusScientific Linux Local Security Checks
high
132887RHEL 8 : firefox (RHSA-2020:0111)NessusRed Hat Local Security Checks
high
132885RHEL 6 : firefox (RHSA-2020:0086)NessusRed Hat Local Security Checks
high
132884RHEL 7 : firefox (RHSA-2020:0085)NessusRed Hat Local Security Checks
high
132881Oracle Linux 7 : firefox (ELSA-2020-0085)NessusOracle Linux Local Security Checks
high
132873CentOS 6 : firefox (CESA-2020:0086)NessusCentOS Local Security Checks
high
132854Ubuntu 16.04 LTS / 18.04 LTS / 19.04 / 19.10 : firefox vulnerabilities (USN-4234-1)NessusUbuntu Local Security Checks
high
132852SUSE SLED12 / SLES12 Security Update : MozillaFirefox (SUSE-SU-2020:0068-1)NessusSuSE Local Security Checks
high
132847Slackware 14.2 / current : mozilla-thunderbird (SSA:2020-010-01)NessusSlackware Local Security Checks
high
132774Mozilla Thunderbird < 68.4.1NessusWindows
high
132773Mozilla Thunderbird < 68.4.1NessusMacOS X Local Security Checks
high
132760Debian DSA-4600-1 : firefox-esr - security updateNessusDebian Local Security Checks
high
132758Debian DLA-2061-1 : firefox-esr security updateNessusDebian Local Security Checks
high
132711Mozilla Firefox ESR < 68.4 Multiple VulnerabilitiesNessusWindows
high
132710Mozilla Firefox ESR < 68.4 Multiple VulnerabilitiesNessusMacOS X Local Security Checks
high
132709Mozilla Firefox < 72.0 Multiple VulnerabilitiesNessusWindows
high
132708Mozilla Firefox < 72.0 Multiple VulnerabilitiesNessusMacOS X Local Security Checks
high