CVE-2019-17020

CVSS V2 Medium 4.3 CVSS V3 Medium 6.5
Description
If an XML file is served with a Content Security Policy and the XML file includes an XSL stylesheet, the Content Security Policy will not be applied to the contents of the XSL stylesheet. If the XSL sheet e.g. includes JavaScript, it would bypass any of the restrictions of the Content Security Policy applied to the XML document. This vulnerability affects Firefox < 72.
Overview
  • CVE ID
  • CVE-2019-17020
  • Assigner
  • security@mozilla.org
  • Vulnerability Status
  • Analyzed
  • Published Version
  • 2020-01-08T22:15:12
  • Last Modified Date
  • 2021-07-21T11:39:23
Weakness Enumerations
CWE URL
CWE-611 http://cwe.mitre.org/data/definitions/611.html
CPE Configuration (Product)
CPE Vulnerable Operator Version Start Version End
cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:* 1 OR 72.0
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:* 1 OR
cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:* 1 OR
cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:* 1 OR
CVSS Version 2
  • Version
  • 2.0
  • Vector String
  • AV:N/AC:M/Au:N/C:N/I:P/A:N
  • Access Vector
  • NETWORK
  • Access Compatibility
  • MEDIUM
  • Authentication
  • NONE
  • Confidentiality Impact
  • NONE
  • Integrity Impact
  • PARTIAL
  • Availability Impact
  • NONE
  • Base Score
  • 4.3
  • Severity
  • MEDIUM
  • Exploitability Score
  • 8.6
  • Impact Score
  • 2.9
CVSS Version 3
  • Version
  • 3.1
  • Vector String
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
  • Attack Vector
  • NETWORK
  • Attack Compatibility
  • LOW
  • Privileges Required
  • NONE
  • User Interaction
  • REQUIRED
  • Scope
  • UNCHANGED
  • Confidentiality Impact
  • NONE
  • Availability Impact
  • NONE
  • Base Score
  • 6.5
  • Base Severity
  • MEDIUM
  • Exploitability Score
  • 2.8
  • Impact Score
  • 3.6
References
Reference URL Reference Tags
https://bugzilla.mozilla.org/show_bug.cgi?id=1597645 Permissions Required
https://www.mozilla.org/security/advisories/mfsa2020-01/ Vendor Advisory
https://usn.ubuntu.com/4234-1/ Third Party Advisory
Sources
Source Name Source URL
NIST https://nvd.nist.gov/vuln/detail/CVE-2019-17020
MITRE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17020
History
Created Old Value New Value Data Type Notes
2022-05-10 16:09:41 Added to TrackCVE
2022-12-04 09:10:11 2020-01-08T22:15Z 2020-01-08T22:15:12 CVE Published Date updated
2022-12-04 09:10:11 2021-07-21T11:39:23 CVE Modified Date updated
2022-12-04 09:10:11 Analyzed Vulnerability Status updated