CVE-2019-17020

Name
CVE-2019-17020
Description
If an XML file is served with a Content Security Policy and the XML file includes an XSL stylesheet, the Content Security Policy will not be applied to the contents of the XSL stylesheet. If the XSL sheet e.g. includes JavaScript, it would bypass any of the restrictions of the Content Security Policy applied to the XML document. This vulnerability affects Firefox < 72.
NVD Severity
medium
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Permissions Required https://bugzilla.mozilla.org/show_bug.cgi?id=1597645
Vendor Advisory https://www.mozilla.org/security/advisories/mfsa2020-01/
Third Party Advisory https://usn.ubuntu.com/4234-1/

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:* firefox >= None < 72.0

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
librewolf edge-community 71.0.1-r0 None fixed
librewolf 3.22-community 71.0.1-r0 None fixed
librewolf 3.21-community 71.0.1-r0 None fixed
firefox edge-community 71.0.1-r0 None fixed
firefox edge-community 70.0-r0 None possibly vulnerable
firefox edge-community 68.0.2-r0 None possibly vulnerable
firefox 3.22-community 71.0.1-r0 None fixed
firefox 3.22-community 70.0-r0 None possibly vulnerable
firefox 3.22-community 68.0.2-r0 None possibly vulnerable
firefox 3.21-community 71.0.1-r0 None fixed
firefox 3.20-community 71.0.1-r0 None fixed
firefox 3.19-community 71.0.1-r0 None fixed
firefox 3.18-community 71.0.1-r0 None fixed
firefox 3.17-community 71.0.1-r0 None fixed