{"api_version":"1","generated_at":"2026-04-23T02:35:37+00:00","cve":"CVE-2019-11737","urls":{"html":"https://cve.report/CVE-2019-11737","api":"https://cve.report/api/cve/CVE-2019-11737.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2019-11737","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2019-11737"},"summary":{"title":"CVE-2019-11737","description":"If a wildcard ('*') is specified for the host in Content Security Policy (CSP) directives, any port or path restriction of the directive will be ignored, leading to CSP directives not being properly applied to content. This vulnerability affects Firefox < 69.","state":"PUBLIC","assigner":"security@mozilla.org","published_at":"2019-09-27 18:15:00","updated_at":"2019-10-02 13:40:00"},"problem_types":["CWE-345"],"metrics":[],"references":[{"url":"https://www.mozilla.org/security/advisories/mfsa2019-25/","name":"https://www.mozilla.org/security/advisories/mfsa2019-25/","refsource":"CONFIRM","tags":["Vendor Advisory"],"title":"Security vulnerabilities fixed in Firefox 69 — Mozilla","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://bugzilla.mozilla.org/show_bug.cgi?id=1388015","name":"https://bugzilla.mozilla.org/show_bug.cgi?id=1388015","refsource":"MISC","tags":["Issue Tracking","Permissions Required","Vendor Advisory"],"title":"Access Denied","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2019-11737","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-11737","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2019","cve_id":"11737","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"firefox","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"11737","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"firefox","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2019-11737","qid":"296071","title":"Oracle Solaris 11.4 Support Repository Update (SRU) 27.82.1 Missing (CPUOCT2020)"}]},"source_records":{"cve_program":{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ID":"CVE-2019-11737","ASSIGNER":"security@mozilla.org","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"vendor_name":"Mozilla","product":{"product_data":[{"product_name":"Firefox","version":{"version_data":[{"version_value":"69","version_affected":"<"}]}}]}}]}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Content security policy directives ignore port and path if host is a wildcard"}]}]},"references":{"reference_data":[{"url":"https://bugzilla.mozilla.org/show_bug.cgi?id=1388015","refsource":"MISC","name":"https://bugzilla.mozilla.org/show_bug.cgi?id=1388015"},{"refsource":"CONFIRM","name":"https://www.mozilla.org/security/advisories/mfsa2019-25/","url":"https://www.mozilla.org/security/advisories/mfsa2019-25/"}]},"description":{"description_data":[{"lang":"eng","value":"If a wildcard ('*') is specified for the host in Content Security Policy (CSP) directives, any port or path restriction of the directive will be ignored, leading to CSP directives not being properly applied to content. This vulnerability affects Firefox < 69."}]}},"nvd":{"publishedDate":"2019-09-27 18:15:00","lastModifiedDate":"2019-10-02 13:40:00","problem_types":["CWE-345"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE","baseScore":5.3,"baseSeverity":"MEDIUM"},"exploitabilityScore":3.9,"impactScore":1.4},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:N/I:P/A:N","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":5},"severity":"MEDIUM","exploitabilityScore":10,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*","versionEndExcluding":"69.0","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2019","CveId":"11737","Ordinal":"150059","Title":"CVE-2019-11737","CVE":"CVE-2019-11737","Year":"2019"},"notes":[{"CveYear":"2019","CveId":"11737","Ordinal":"1","NoteData":"If a wildcard ('*') is specified for the host in Content Security Policy (CSP) directives, any port or path restriction of the directive will be ignored, leading to CSP directives not being properly applied to content. This vulnerability affects Firefox < 69.","Type":"Description","Title":null},{"CveYear":"2019","CveId":"11737","Ordinal":"2","NoteData":"2019-09-27","Type":"Other","Title":"Published"},{"CveYear":"2019","CveId":"11737","Ordinal":"3","NoteData":"2019-09-27","Type":"Other","Title":"Modified"}]}}}