CVE-2019-17016
MEDIUMFirefox < 72.0 and Firefox ESR < 68.4 - Cross-Site Scripting via Style Tag Pasting
Title source: llmDescription
When pasting a <style> tag from the clipboard into a rich text editor, the CSS sanitizer incorrectly rewrites a @namespace rule. This could allow for injection into certain types of websites resulting in data exfiltration. This vulnerability affects Firefox ESR < 68.4 and Firefox < 72.
References (25)
Core 25
Core References
Permissions Required x_refsource_misc
https://bugzilla.mozilla.org/show_bug.cgi?id=1599181
Vendor Advisory x_refsource_confirm
https://www.mozilla.org/security/advisories/mfsa2020-01/
Vendor Advisory x_refsource_confirm
https://www.mozilla.org/security/advisories/mfsa2020-02/
Mailing List, Third Party Advisory mailing-list
x_refsource_bugtraq
https://seclists.org/bugtraq/2020/Jan/12
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2020/01/msg00005.html
Third Party Advisory vendor-advisory
x_refsource_debian
https://www.debian.org/security/2020/dsa-4600
Third Party Advisory vendor-advisory
x_refsource_ubuntu
https://usn.ubuntu.com/4234-1/
Mailing List, Third Party Advisory mailing-list
x_refsource_bugtraq
https://seclists.org/bugtraq/2020/Jan/18
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2020:0085
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2020:0086
Exploit, Third Party Advisory x_refsource_misc
http://packetstormsecurity.com/files/155912/Slackware-Security-Advisory-mozilla-thunderbird-Updates.html
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2020:0111
Mailing List vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00029.html
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2020:0120
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2020:0123
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2020:0127
Vendor Advisory vendor-advisory
x_refsource_ubuntu
https://usn.ubuntu.com/4241-1/
Third Party Advisory vendor-advisory
x_refsource_debian
https://www.debian.org/security/2020/dsa-4603
Mailing List mailing-list
x_refsource_bugtraq
https://seclists.org/bugtraq/2020/Jan/26
Mailing List mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2020/01/msg00016.html
Mailing List vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00043.html
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2020:0292
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2020:0295
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/202003-02
Vendor Advisory vendor-advisory
x_refsource_ubuntu
https://usn.ubuntu.com/4335-1/
Scores
CVSS v3
6.1
EPSS
0.0293
EPSS Percentile
86.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (17)
canonical/ubuntu_linux
16.04
canonical/ubuntu_linux
18.04
canonical/ubuntu_linux
19.04
canonical/ubuntu_linux
19.10
debian/debian_linux
8.0
debian/debian_linux
9.0
debian/debian_linux
10.0
mozilla/firefox
< 72.0
mozilla/firefox_esr
< 68.4
redhat/enterprise_linux_desktop
6.0
... and 7 more
Published
Jan 08, 2020
Tracked Since
Feb 18, 2026