CVE-2019-17022
Summary
| CVE | CVE-2019-17022 |
|---|
| State | PUBLIC |
|---|
| Assigner | [email protected] |
|---|
| Source Priority | CVE Program / NVD first with legacy fallback |
|---|
| Published | 2020-01-08 22:15:00 UTC |
|---|
| Updated | 2020-01-13 20:15:00 UTC |
|---|
| Description | When pasting a <style> tag from the clipboard into a rich text editor, the CSS sanitizer does not escape < and > characters. Because the resulting string is pasted directly into the text node of the element this does not result in a direct injection into the webpage; however, if a webpage subsequently copies the node's innerHTML, assigning it to another innerHTML, this would result in an XSS vulnerability. Two WYSIWYG editors were identified with this behavior, more may exist. This vulnerability affects Firefox ESR < 68.4 and Firefox < 72. |
|---|
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|
| USN-4234-1: Firefox vulnerabilities | Ubuntu security notices | Ubuntu |
UBUNTU |
usn.ubuntu.com |
Third Party Advisory |
| Debian -- Security Information -- DSA-4600-1 firefox-esr |
DEBIAN |
www.debian.org |
Third Party Advisory |
| [security-announce] openSUSE-SU-2020:0094-1: important: Security update |
SUSE |
lists.opensuse.org |
|
| Red Hat Customer Portal |
REDHAT |
access.redhat.com |
|
| Red Hat Customer Portal |
REDHAT |
access.redhat.com |
|
| Mozilla Firefox: Multiple vulnerabilities (GLSA 202003-02) — Gentoo security |
GENTOO |
security.gentoo.org |
|
| Bugtraq: [SECURITY] [DSA 4603-1] thunderbird security update |
BUGTRAQ |
seclists.org |
|
| Red Hat Customer Portal |
REDHAT |
access.redhat.com |
|
| [security-announce] openSUSE-SU-2020:0060-1: important: Security update |
SUSE |
lists.opensuse.org |
|
| Debian -- Security Information -- DSA-4603-1 thunderbird |
DEBIAN |
www.debian.org |
|
| Red Hat Customer Portal |
REDHAT |
access.redhat.com |
|
| [SECURITY] [DLA 2071-1] thunderbird security update |
MLIST |
lists.debian.org |
|
| Red Hat Customer Portal |
REDHAT |
access.redhat.com |
|
| Red Hat Customer Portal |
REDHAT |
access.redhat.com |
Third Party Advisory |
| Bugtraq: [SECURITY] [DSA 4600-1] firefox-esr security update |
BUGTRAQ |
seclists.org |
Mailing List, Third Party Advisory |
| USN-4335-1: Thunderbird vulnerabilities | Ubuntu security notices |
UBUNTU |
usn.ubuntu.com |
|
| Slackware Security Advisory - mozilla-thunderbird Updates ≈ Packet Storm |
MISC |
packetstormsecurity.com |
|
| [SECURITY] [DLA 2061-1] firefox-esr security update |
MLIST |
lists.debian.org |
Mailing List, Third Party Advisory |
| Security Vulnerabilities fixed in Firefox ESR 68.4 — Mozilla |
CONFIRM |
www.mozilla.org |
Vendor Advisory |
| Bugtraq: [slackware-security] mozilla-thunderbird (SSA:2020-010-01) |
BUGTRAQ |
seclists.org |
Mailing List, Third Party Advisory |
| Red Hat Customer Portal |
REDHAT |
access.redhat.com |
|
| Security Vulnerabilities fixed in Firefox 72 — Mozilla |
CONFIRM |
www.mozilla.org |
Vendor Advisory |
| Red Hat Customer Portal |
REDHAT |
access.redhat.com |
Third Party Advisory |
| USN-4241-1: Thunderbird vulnerabilities | Ubuntu security notices | Ubuntu |
UBUNTU |
usn.ubuntu.com |
|
| 1602843 - (CVE-2019-17022) Mutation XSS via copy-and-paste in WYSIWYG editors |
MISC |
bugzilla.mozilla.org |
Permissions Required |
| CVE Program record |
CVE.ORG |
www.cve.org |
canonical |
| NVD vulnerability detail |
NVD |
nvd.nist.gov |
canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 296077 Oracle Solaris 11.4 Support Repository Update (SRU) 18.4.0 Missing (CPUJAN2020)
- 376884 Alibaba Cloud Linux Security Update for firefox (ALINUX2-SA-2020:0016)
- 377014 Alibaba Cloud Linux Security Update for thunderbird (ALINUX2-SA-2020:0017)
- 500925 Alpine Linux Security Update for firefox-esr
- 500945 Alpine Linux Security Update for firefox
- 503830 Alpine Linux Security Update for firefox
