CVE-2019-17016
Vulnerability from cvelistv5
Published
2020-01-08 21:27
Modified
2024-08-05 01:24
Severity ?
Summary
When pasting a &lt;style&gt; tag from the clipboard into a rich text editor, the CSS sanitizer incorrectly rewrites a @namespace rule. This could allow for injection into certain types of websites resulting in data exfiltration. This vulnerability affects Firefox ESR < 68.4 and Firefox < 72.
References
security@mozilla.orghttp://lists.opensuse.org/opensuse-security-announce/2020-01/msg00029.html
security@mozilla.orghttp://lists.opensuse.org/opensuse-security-announce/2020-01/msg00043.html
security@mozilla.orghttp://packetstormsecurity.com/files/155912/Slackware-Security-Advisory-mozilla-thunderbird-Updates.html
security@mozilla.orghttps://access.redhat.com/errata/RHSA-2020:0085Third Party Advisory
security@mozilla.orghttps://access.redhat.com/errata/RHSA-2020:0086Third Party Advisory
security@mozilla.orghttps://access.redhat.com/errata/RHSA-2020:0111
security@mozilla.orghttps://access.redhat.com/errata/RHSA-2020:0120
security@mozilla.orghttps://access.redhat.com/errata/RHSA-2020:0123
security@mozilla.orghttps://access.redhat.com/errata/RHSA-2020:0127
security@mozilla.orghttps://access.redhat.com/errata/RHSA-2020:0292
security@mozilla.orghttps://access.redhat.com/errata/RHSA-2020:0295
security@mozilla.orghttps://bugzilla.mozilla.org/show_bug.cgi?id=1599181Permissions Required
security@mozilla.orghttps://lists.debian.org/debian-lts-announce/2020/01/msg00005.htmlMailing List, Third Party Advisory
security@mozilla.orghttps://lists.debian.org/debian-lts-announce/2020/01/msg00016.html
security@mozilla.orghttps://seclists.org/bugtraq/2020/Jan/12Mailing List, Third Party Advisory
security@mozilla.orghttps://seclists.org/bugtraq/2020/Jan/18Mailing List, Third Party Advisory
security@mozilla.orghttps://seclists.org/bugtraq/2020/Jan/26
security@mozilla.orghttps://security.gentoo.org/glsa/202003-02
security@mozilla.orghttps://usn.ubuntu.com/4234-1/Third Party Advisory
security@mozilla.orghttps://usn.ubuntu.com/4241-1/
security@mozilla.orghttps://usn.ubuntu.com/4335-1/
security@mozilla.orghttps://www.debian.org/security/2020/dsa-4600Third Party Advisory
security@mozilla.orghttps://www.debian.org/security/2020/dsa-4603
security@mozilla.orghttps://www.mozilla.org/security/advisories/mfsa2020-01/Vendor Advisory
security@mozilla.orghttps://www.mozilla.org/security/advisories/mfsa2020-02/Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00029.html
af854a3a-2127-422b-91ae-364da2661108http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00043.html
af854a3a-2127-422b-91ae-364da2661108http://packetstormsecurity.com/files/155912/Slackware-Security-Advisory-mozilla-thunderbird-Updates.html
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2020:0085Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2020:0086Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2020:0111
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2020:0120
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2020:0123
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2020:0127
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2020:0292
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2020:0295
af854a3a-2127-422b-91ae-364da2661108https://bugzilla.mozilla.org/show_bug.cgi?id=1599181Permissions Required
af854a3a-2127-422b-91ae-364da2661108https://lists.debian.org/debian-lts-announce/2020/01/msg00005.htmlMailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://lists.debian.org/debian-lts-announce/2020/01/msg00016.html
af854a3a-2127-422b-91ae-364da2661108https://seclists.org/bugtraq/2020/Jan/12Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://seclists.org/bugtraq/2020/Jan/18Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://seclists.org/bugtraq/2020/Jan/26
af854a3a-2127-422b-91ae-364da2661108https://security.gentoo.org/glsa/202003-02
af854a3a-2127-422b-91ae-364da2661108https://usn.ubuntu.com/4234-1/Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://usn.ubuntu.com/4241-1/
af854a3a-2127-422b-91ae-364da2661108https://usn.ubuntu.com/4335-1/
af854a3a-2127-422b-91ae-364da2661108https://www.debian.org/security/2020/dsa-4600Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.debian.org/security/2020/dsa-4603
af854a3a-2127-422b-91ae-364da2661108https://www.mozilla.org/security/advisories/mfsa2020-01/Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.mozilla.org/security/advisories/mfsa2020-02/Vendor Advisory
Impacted products
Vendor Product Version
Mozilla Firefox ESR Version: before 68.4
 Create a notification for this product.
   Mozilla Firefox Version: before 72
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-05T01:24:48.588Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://bugzilla.mozilla.org/show_bug.cgi?id=1599181",
               },
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://www.mozilla.org/security/advisories/mfsa2020-01/",
               },
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://www.mozilla.org/security/advisories/mfsa2020-02/",
               },
               {
                  name: "20200109 [SECURITY] [DSA 4600-1] firefox-esr security update",
                  tags: [
                     "mailing-list",
                     "x_refsource_BUGTRAQ",
                     "x_transferred",
                  ],
                  url: "https://seclists.org/bugtraq/2020/Jan/12",
               },
               {
                  name: "[debian-lts-announce] 20200109 [SECURITY] [DLA 2061-1] firefox-esr security update",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "https://lists.debian.org/debian-lts-announce/2020/01/msg00005.html",
               },
               {
                  name: "DSA-4600",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_DEBIAN",
                     "x_transferred",
                  ],
                  url: "https://www.debian.org/security/2020/dsa-4600",
               },
               {
                  name: "USN-4234-1",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_UBUNTU",
                     "x_transferred",
                  ],
                  url: "https://usn.ubuntu.com/4234-1/",
               },
               {
                  name: "20200112 [slackware-security] mozilla-thunderbird (SSA:2020-010-01)",
                  tags: [
                     "mailing-list",
                     "x_refsource_BUGTRAQ",
                     "x_transferred",
                  ],
                  url: "https://seclists.org/bugtraq/2020/Jan/18",
               },
               {
                  name: "RHSA-2020:0085",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_REDHAT",
                     "x_transferred",
                  ],
                  url: "https://access.redhat.com/errata/RHSA-2020:0085",
               },
               {
                  name: "RHSA-2020:0086",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_REDHAT",
                     "x_transferred",
                  ],
                  url: "https://access.redhat.com/errata/RHSA-2020:0086",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "http://packetstormsecurity.com/files/155912/Slackware-Security-Advisory-mozilla-thunderbird-Updates.html",
               },
               {
                  name: "RHSA-2020:0111",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_REDHAT",
                     "x_transferred",
                  ],
                  url: "https://access.redhat.com/errata/RHSA-2020:0111",
               },
               {
                  name: "openSUSE-SU-2020:0060",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_SUSE",
                     "x_transferred",
                  ],
                  url: "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00029.html",
               },
               {
                  name: "RHSA-2020:0120",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_REDHAT",
                     "x_transferred",
                  ],
                  url: "https://access.redhat.com/errata/RHSA-2020:0120",
               },
               {
                  name: "RHSA-2020:0123",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_REDHAT",
                     "x_transferred",
                  ],
                  url: "https://access.redhat.com/errata/RHSA-2020:0123",
               },
               {
                  name: "RHSA-2020:0127",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_REDHAT",
                     "x_transferred",
                  ],
                  url: "https://access.redhat.com/errata/RHSA-2020:0127",
               },
               {
                  name: "USN-4241-1",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_UBUNTU",
                     "x_transferred",
                  ],
                  url: "https://usn.ubuntu.com/4241-1/",
               },
               {
                  name: "DSA-4603",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_DEBIAN",
                     "x_transferred",
                  ],
                  url: "https://www.debian.org/security/2020/dsa-4603",
               },
               {
                  name: "20200120 [SECURITY] [DSA 4603-1] thunderbird security update",
                  tags: [
                     "mailing-list",
                     "x_refsource_BUGTRAQ",
                     "x_transferred",
                  ],
                  url: "https://seclists.org/bugtraq/2020/Jan/26",
               },
               {
                  name: "[debian-lts-announce] 20200120 [SECURITY] [DLA 2071-1] thunderbird security update",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "https://lists.debian.org/debian-lts-announce/2020/01/msg00016.html",
               },
               {
                  name: "openSUSE-SU-2020:0094",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_SUSE",
                     "x_transferred",
                  ],
                  url: "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00043.html",
               },
               {
                  name: "RHSA-2020:0292",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_REDHAT",
                     "x_transferred",
                  ],
                  url: "https://access.redhat.com/errata/RHSA-2020:0292",
               },
               {
                  name: "RHSA-2020:0295",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_REDHAT",
                     "x_transferred",
                  ],
                  url: "https://access.redhat.com/errata/RHSA-2020:0295",
               },
               {
                  name: "GLSA-202003-02",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_GENTOO",
                     "x_transferred",
                  ],
                  url: "https://security.gentoo.org/glsa/202003-02",
               },
               {
                  name: "USN-4335-1",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_UBUNTU",
                     "x_transferred",
                  ],
                  url: "https://usn.ubuntu.com/4335-1/",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "Firefox ESR",
               vendor: "Mozilla",
               versions: [
                  {
                     status: "affected",
                     version: "before 68.4",
                  },
               ],
            },
            {
               product: "Firefox",
               vendor: "Mozilla",
               versions: [
                  {
                     status: "affected",
                     version: "before 72",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "When pasting a &lt;style&gt; tag from the clipboard into a rich text editor, the CSS sanitizer incorrectly rewrites a @namespace rule. This could allow for injection into certain types of websites resulting in data exfiltration. This vulnerability affects Firefox ESR < 68.4 and Firefox < 72.",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "Bypass of @namespace CSS sanitization during pasting",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2020-04-29T02:06:52",
            orgId: "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
            shortName: "mozilla",
         },
         references: [
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://bugzilla.mozilla.org/show_bug.cgi?id=1599181",
            },
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://www.mozilla.org/security/advisories/mfsa2020-01/",
            },
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://www.mozilla.org/security/advisories/mfsa2020-02/",
            },
            {
               name: "20200109 [SECURITY] [DSA 4600-1] firefox-esr security update",
               tags: [
                  "mailing-list",
                  "x_refsource_BUGTRAQ",
               ],
               url: "https://seclists.org/bugtraq/2020/Jan/12",
            },
            {
               name: "[debian-lts-announce] 20200109 [SECURITY] [DLA 2061-1] firefox-esr security update",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "https://lists.debian.org/debian-lts-announce/2020/01/msg00005.html",
            },
            {
               name: "DSA-4600",
               tags: [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
               ],
               url: "https://www.debian.org/security/2020/dsa-4600",
            },
            {
               name: "USN-4234-1",
               tags: [
                  "vendor-advisory",
                  "x_refsource_UBUNTU",
               ],
               url: "https://usn.ubuntu.com/4234-1/",
            },
            {
               name: "20200112 [slackware-security] mozilla-thunderbird (SSA:2020-010-01)",
               tags: [
                  "mailing-list",
                  "x_refsource_BUGTRAQ",
               ],
               url: "https://seclists.org/bugtraq/2020/Jan/18",
            },
            {
               name: "RHSA-2020:0085",
               tags: [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
               ],
               url: "https://access.redhat.com/errata/RHSA-2020:0085",
            },
            {
               name: "RHSA-2020:0086",
               tags: [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
               ],
               url: "https://access.redhat.com/errata/RHSA-2020:0086",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "http://packetstormsecurity.com/files/155912/Slackware-Security-Advisory-mozilla-thunderbird-Updates.html",
            },
            {
               name: "RHSA-2020:0111",
               tags: [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
               ],
               url: "https://access.redhat.com/errata/RHSA-2020:0111",
            },
            {
               name: "openSUSE-SU-2020:0060",
               tags: [
                  "vendor-advisory",
                  "x_refsource_SUSE",
               ],
               url: "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00029.html",
            },
            {
               name: "RHSA-2020:0120",
               tags: [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
               ],
               url: "https://access.redhat.com/errata/RHSA-2020:0120",
            },
            {
               name: "RHSA-2020:0123",
               tags: [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
               ],
               url: "https://access.redhat.com/errata/RHSA-2020:0123",
            },
            {
               name: "RHSA-2020:0127",
               tags: [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
               ],
               url: "https://access.redhat.com/errata/RHSA-2020:0127",
            },
            {
               name: "USN-4241-1",
               tags: [
                  "vendor-advisory",
                  "x_refsource_UBUNTU",
               ],
               url: "https://usn.ubuntu.com/4241-1/",
            },
            {
               name: "DSA-4603",
               tags: [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
               ],
               url: "https://www.debian.org/security/2020/dsa-4603",
            },
            {
               name: "20200120 [SECURITY] [DSA 4603-1] thunderbird security update",
               tags: [
                  "mailing-list",
                  "x_refsource_BUGTRAQ",
               ],
               url: "https://seclists.org/bugtraq/2020/Jan/26",
            },
            {
               name: "[debian-lts-announce] 20200120 [SECURITY] [DLA 2071-1] thunderbird security update",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "https://lists.debian.org/debian-lts-announce/2020/01/msg00016.html",
            },
            {
               name: "openSUSE-SU-2020:0094",
               tags: [
                  "vendor-advisory",
                  "x_refsource_SUSE",
               ],
               url: "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00043.html",
            },
            {
               name: "RHSA-2020:0292",
               tags: [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
               ],
               url: "https://access.redhat.com/errata/RHSA-2020:0292",
            },
            {
               name: "RHSA-2020:0295",
               tags: [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
               ],
               url: "https://access.redhat.com/errata/RHSA-2020:0295",
            },
            {
               name: "GLSA-202003-02",
               tags: [
                  "vendor-advisory",
                  "x_refsource_GENTOO",
               ],
               url: "https://security.gentoo.org/glsa/202003-02",
            },
            {
               name: "USN-4335-1",
               tags: [
                  "vendor-advisory",
                  "x_refsource_UBUNTU",
               ],
               url: "https://usn.ubuntu.com/4335-1/",
            },
         ],
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "security@mozilla.org",
               ID: "CVE-2019-17016",
               STATE: "PUBLIC",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "Firefox ESR",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "before 68.4",
                                       },
                                    ],
                                 },
                              },
                              {
                                 product_name: "Firefox",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "before 72",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "Mozilla",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "When pasting a &lt;style&gt; tag from the clipboard into a rich text editor, the CSS sanitizer incorrectly rewrites a @namespace rule. This could allow for injection into certain types of websites resulting in data exfiltration. This vulnerability affects Firefox ESR < 68.4 and Firefox < 72.",
                  },
               ],
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "Bypass of @namespace CSS sanitization during pasting",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "https://bugzilla.mozilla.org/show_bug.cgi?id=1599181",
                     refsource: "MISC",
                     url: "https://bugzilla.mozilla.org/show_bug.cgi?id=1599181",
                  },
                  {
                     name: "https://www.mozilla.org/security/advisories/mfsa2020-01/",
                     refsource: "CONFIRM",
                     url: "https://www.mozilla.org/security/advisories/mfsa2020-01/",
                  },
                  {
                     name: "https://www.mozilla.org/security/advisories/mfsa2020-02/",
                     refsource: "CONFIRM",
                     url: "https://www.mozilla.org/security/advisories/mfsa2020-02/",
                  },
                  {
                     name: "20200109 [SECURITY] [DSA 4600-1] firefox-esr security update",
                     refsource: "BUGTRAQ",
                     url: "https://seclists.org/bugtraq/2020/Jan/12",
                  },
                  {
                     name: "[debian-lts-announce] 20200109 [SECURITY] [DLA 2061-1] firefox-esr security update",
                     refsource: "MLIST",
                     url: "https://lists.debian.org/debian-lts-announce/2020/01/msg00005.html",
                  },
                  {
                     name: "DSA-4600",
                     refsource: "DEBIAN",
                     url: "https://www.debian.org/security/2020/dsa-4600",
                  },
                  {
                     name: "USN-4234-1",
                     refsource: "UBUNTU",
                     url: "https://usn.ubuntu.com/4234-1/",
                  },
                  {
                     name: "20200112 [slackware-security] mozilla-thunderbird (SSA:2020-010-01)",
                     refsource: "BUGTRAQ",
                     url: "https://seclists.org/bugtraq/2020/Jan/18",
                  },
                  {
                     name: "RHSA-2020:0085",
                     refsource: "REDHAT",
                     url: "https://access.redhat.com/errata/RHSA-2020:0085",
                  },
                  {
                     name: "RHSA-2020:0086",
                     refsource: "REDHAT",
                     url: "https://access.redhat.com/errata/RHSA-2020:0086",
                  },
                  {
                     name: "http://packetstormsecurity.com/files/155912/Slackware-Security-Advisory-mozilla-thunderbird-Updates.html",
                     refsource: "MISC",
                     url: "http://packetstormsecurity.com/files/155912/Slackware-Security-Advisory-mozilla-thunderbird-Updates.html",
                  },
                  {
                     name: "RHSA-2020:0111",
                     refsource: "REDHAT",
                     url: "https://access.redhat.com/errata/RHSA-2020:0111",
                  },
                  {
                     name: "openSUSE-SU-2020:0060",
                     refsource: "SUSE",
                     url: "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00029.html",
                  },
                  {
                     name: "RHSA-2020:0120",
                     refsource: "REDHAT",
                     url: "https://access.redhat.com/errata/RHSA-2020:0120",
                  },
                  {
                     name: "RHSA-2020:0123",
                     refsource: "REDHAT",
                     url: "https://access.redhat.com/errata/RHSA-2020:0123",
                  },
                  {
                     name: "RHSA-2020:0127",
                     refsource: "REDHAT",
                     url: "https://access.redhat.com/errata/RHSA-2020:0127",
                  },
                  {
                     name: "USN-4241-1",
                     refsource: "UBUNTU",
                     url: "https://usn.ubuntu.com/4241-1/",
                  },
                  {
                     name: "DSA-4603",
                     refsource: "DEBIAN",
                     url: "https://www.debian.org/security/2020/dsa-4603",
                  },
                  {
                     name: "20200120 [SECURITY] [DSA 4603-1] thunderbird security update",
                     refsource: "BUGTRAQ",
                     url: "https://seclists.org/bugtraq/2020/Jan/26",
                  },
                  {
                     name: "[debian-lts-announce] 20200120 [SECURITY] [DLA 2071-1] thunderbird security update",
                     refsource: "MLIST",
                     url: "https://lists.debian.org/debian-lts-announce/2020/01/msg00016.html",
                  },
                  {
                     name: "openSUSE-SU-2020:0094",
                     refsource: "SUSE",
                     url: "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00043.html",
                  },
                  {
                     name: "RHSA-2020:0292",
                     refsource: "REDHAT",
                     url: "https://access.redhat.com/errata/RHSA-2020:0292",
                  },
                  {
                     name: "RHSA-2020:0295",
                     refsource: "REDHAT",
                     url: "https://access.redhat.com/errata/RHSA-2020:0295",
                  },
                  {
                     name: "GLSA-202003-02",
                     refsource: "GENTOO",
                     url: "https://security.gentoo.org/glsa/202003-02",
                  },
                  {
                     name: "USN-4335-1",
                     refsource: "UBUNTU",
                     url: "https://usn.ubuntu.com/4335-1/",
                  },
               ],
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
      assignerShortName: "mozilla",
      cveId: "CVE-2019-17016",
      datePublished: "2020-01-08T21:27:03",
      dateReserved: "2019-09-30T00:00:00",
      dateUpdated: "2024-08-05T01:24:48.588Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
   "vulnerability-lookup:meta": {
      nvd: "{\"cve\":{\"id\":\"CVE-2019-17016\",\"sourceIdentifier\":\"security@mozilla.org\",\"published\":\"2020-01-08T22:15:12.277\",\"lastModified\":\"2024-11-21T04:31:32.987\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"When pasting a &lt;style&gt; tag from the clipboard into a rich text editor, the CSS sanitizer incorrectly rewrites a @namespace rule. This could allow for injection into certain types of websites resulting in data exfiltration. This vulnerability affects Firefox ESR < 68.4 and Firefox < 72.\"},{\"lang\":\"es\",\"value\":\"Al pegar un &lt;style&gt; etiqueta del portapapeles en un editor de texto enriquecido, el saneador CSS reescribe incorrectamente una regla @namespace. Esto podría permitir una inyección en ciertos tipos de sitios web resultando en la filtración de datos. Esta vulnerabilidad afecta a Firefox ESR versiones anteriores a la versión  68.4 y Firefox versiones anteriores a la versión 72.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:N/I:P/A:N\",\"baseScore\":4.3,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"72.0\",\"matchCriteriaId\":\"1398139B-C837-4BF4-8555-5D722B91F646\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"68.4\",\"matchCriteriaId\":\"ACE15104-6EDD-46EA-9596-28FEB99B563F\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DEECE5FC-CACF-4496-A3E7-164736409252\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"07B237A9-69A3-4A9C-9DA0-4E06BD37AE73\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*\",\"matchCriteriaId\":\"F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*\",\"matchCriteriaId\":\"23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"CD783B0C-9246-47D9-A937-6144FE8BFF0F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A31C8344-3E02-4EB8-8BD8-4C84B7959624\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"EE249E1B-A1FD-4E08-AA71-A0E1F10FFE97\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"33C068A4-3780-4EAB-A937-6082DF847564\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9BBCD86A-E6C7-4444-9D74-F861084090F0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"51EF4996-72F4-4FA4-814F-F5991E7A8318\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux_server_aus:7.7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7431ABC1-9252-419E-8CC1-311B41360078\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux_server_tus:7.7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"17F256A9-D3B9-4C72-B013-4EFD878BFEA8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E5ED5807-55B7-47C5-97A6-03233F4FBC3A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"825ECE2D-E232-46E0-A047-074B34DB1E97\"}]}]}],\"references\":[{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00029.html\",\"source\":\"security@mozilla.org\"},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00043.html\",\"source\":\"security@mozilla.org\"},{\"url\":\"http://packetstormsecurity.com/files/155912/Slackware-Security-Advisory-mozilla-thunderbird-Updates.html\",\"source\":\"security@mozilla.org\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2020:0085\",\"source\":\"security@mozilla.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2020:0086\",\"source\":\"security@mozilla.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2020:0111\",\"source\":\"security@mozilla.org\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2020:0120\",\"source\":\"security@mozilla.org\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2020:0123\",\"source\":\"security@mozilla.org\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2020:0127\",\"source\":\"security@mozilla.org\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2020:0292\",\"source\":\"security@mozilla.org\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2020:0295\",\"source\":\"security@mozilla.org\"},{\"url\":\"https://bugzilla.mozilla.org/show_bug.cgi?id=1599181\",\"source\":\"security@mozilla.org\",\"tags\":[\"Permissions Required\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2020/01/msg00005.html\",\"source\":\"security@mozilla.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2020/01/msg00016.html\",\"source\":\"security@mozilla.org\"},{\"url\":\"https://seclists.org/bugtraq/2020/Jan/12\",\"source\":\"security@mozilla.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://seclists.org/bugtraq/2020/Jan/18\",\"source\":\"security@mozilla.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://seclists.org/bugtraq/2020/Jan/26\",\"source\":\"security@mozilla.org\"},{\"url\":\"https://security.gentoo.org/glsa/202003-02\",\"source\":\"security@mozilla.org\"},{\"url\":\"https://usn.ubuntu.com/4234-1/\",\"source\":\"security@mozilla.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://usn.ubuntu.com/4241-1/\",\"source\":\"security@mozilla.org\"},{\"url\":\"https://usn.ubuntu.com/4335-1/\",\"source\":\"security@mozilla.org\"},{\"url\":\"https://www.debian.org/security/2020/dsa-4600\",\"source\":\"security@mozilla.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.debian.org/security/2020/dsa-4603\",\"source\":\"security@mozilla.org\"},{\"url\":\"https://www.mozilla.org/security/advisories/mfsa2020-01/\",\"source\":\"security@mozilla.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.mozilla.org/security/advisories/mfsa2020-02/\",\"source\":\"security@mozilla.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00029.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00043.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://packetstormsecurity.com/files/155912/Slackware-Security-Advisory-mozilla-thunderbird-Updates.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2020:0085\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2020:0086\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2020:0111\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2020:0120\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2020:0123\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2020:0127\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2020:0292\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2020:0295\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://bugzilla.mozilla.org/show_bug.cgi?id=1599181\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Permissions Required\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2020/01/msg00005.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2020/01/msg00016.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://seclists.org/bugtraq/2020/Jan/12\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://seclists.org/bugtraq/2020/Jan/18\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://seclists.org/bugtraq/2020/Jan/26\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://security.gentoo.org/glsa/202003-02\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://usn.ubuntu.com/4234-1/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://usn.ubuntu.com/4241-1/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://usn.ubuntu.com/4335-1/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.debian.org/security/2020/dsa-4600\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.debian.org/security/2020/dsa-4603\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.mozilla.org/security/advisories/mfsa2020-01/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.mozilla.org/security/advisories/mfsa2020-02/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}",
   },
}


Log in or create an account to share your comment.

Security Advisory comment format.

This schema specifies the format of a comment related to a security advisory.

UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).



Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.