CVE-2019-17022
Published: 8 January 2020
When pasting a <style> tag from the clipboard into a rich text editor, the CSS sanitizer does not escape < and > characters. Because the resulting string is pasted directly into the text node of the element this does not result in a direct injection into the webpage; however, if a webpage subsequently copies the node's innerHTML, assigning it to another innerHTML, this would result in an XSS vulnerability. Two WYSIWYG editors were identified with this behavior, more may exist. This vulnerability affects Firefox ESR < 68.4 and Firefox < 72.
Notes
Author | Note |
---|---|
tyhicks | mozjs contains a copy of the SpiderMonkey JavaScript engine |
Priority
Status
Package | Release | Status |
---|---|---|
mozjs38 Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
disco |
Does not exist
|
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Does not exist
|
|
impish |
Does not exist
|
|
groovy |
Does not exist
|
|
hirsute |
Does not exist
|
|
jammy |
Does not exist
|
|
kinetic |
Does not exist
|
|
lunar |
Does not exist
|
|
mantic |
Does not exist
|
|
mozjs52 Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
disco |
Ignored
(end of life)
|
|
eoan |
Ignored
(end of life)
|
|
focal |
Needs triage
|
|
trusty |
Does not exist
|
|
impish |
Does not exist
|
|
groovy |
Ignored
(end of life)
|
|
hirsute |
Does not exist
|
|
jammy |
Does not exist
|
|
kinetic |
Does not exist
|
|
lunar |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Does not exist
|
|
mantic |
Does not exist
|
|
firefox Launchpad, Ubuntu, Debian |
impish |
Released
(72.0.1+build1-0ubuntu1)
|
bionic |
Released
(72.0.1+build1-0ubuntu0.18.04.1)
|
|
disco |
Released
(72.0.1+build1-0ubuntu0.19.04.1)
|
|
eoan |
Released
(72.0.1+build1-0ubuntu0.19.10.1)
|
|
focal |
Released
(72.0.1+build1-0ubuntu1)
|
|
groovy |
Released
(72.0.1+build1-0ubuntu1)
|
|
hirsute |
Released
(72.0.1+build1-0ubuntu1)
|
|
jammy |
Released
(72.0.1+build1-0ubuntu1)
|
|
kinetic |
Released
(72.0.1+build1-0ubuntu1)
|
|
lunar |
Released
(72.0.1+build1-0ubuntu1)
|
|
trusty |
Does not exist
|
|
upstream |
Released
(72.0)
|
|
xenial |
Released
(72.0.1+build1-0ubuntu0.16.04.1)
|
|
mantic |
Released
(72.0.1+build1-0ubuntu1)
|
|
mozjs60 Launchpad, Ubuntu, Debian |
impish |
Does not exist
|
bionic |
Does not exist
|
|
disco |
Ignored
(end of life)
|
|
eoan |
Ignored
(end of life)
|
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
hirsute |
Does not exist
|
|
jammy |
Does not exist
|
|
kinetic |
Does not exist
|
|
lunar |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Does not exist
|
|
mantic |
Does not exist
|
|
thunderbird Launchpad, Ubuntu, Debian |
impish |
Released
(1:68.4.1+build1-0ubuntu1)
|
bionic |
Released
(1:68.4.1+build1-0ubuntu0.18.04.1)
|
|
disco |
Ignored
(end of life)
|
|
eoan |
Released
(1:68.4.1+build1-0ubuntu0.19.10.1)
|
|
focal |
Released
(1:68.4.1+build1-0ubuntu1)
|
|
groovy |
Released
(1:68.4.1+build1-0ubuntu1)
|
|
hirsute |
Released
(1:68.4.1+build1-0ubuntu1)
|
|
jammy |
Released
(1:68.4.1+build1-0ubuntu1)
|
|
kinetic |
Released
(1:68.4.1+build1-0ubuntu1)
|
|
lunar |
Released
(1:68.4.1+build1-0ubuntu1)
|
|
trusty |
Does not exist
|
|
upstream |
Released
(68.4.1)
|
|
xenial |
Released
(1:68.7.0+build1-0ubuntu0.16.04.2)
|
|
mantic |
Released
(1:68.4.1+build1-0ubuntu1)
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 6.1 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | Required |
Scope | Changed |
Confidentiality | Low |
Integrity impact | Low |
Availability impact | None |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17022
- https://www.mozilla.org/en-US/security/advisories/mfsa2020-01/#CVE-2019-17022
- https://www.mozilla.org/en-US/security/advisories/mfsa2020-02/#CVE-2019-17022
- https://www.mozilla.org/en-US/security/advisories/mfsa2020-04/#CVE-2019-17022
- https://bugzilla.mozilla.org/show_bug.cgi?id=1602843
- https://www.mozilla.org/security/advisories/mfsa2020-01/
- https://www.mozilla.org/security/advisories/mfsa2020-02/
- https://ubuntu.com/security/notices/USN-4234-1
- https://ubuntu.com/security/notices/USN-4241-1
- https://ubuntu.com/security/notices/USN-4335-1
- NVD
- Launchpad
- Debian