Cross-site Scripting (XSS) Affecting firefox-esr package, versions <68.4.1esr-1~deb10u1
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-DEBIAN10-FIREFOXESR-540854
- published 7 Jan 2020
- disclosed 8 Jan 2020
Introduced: 7 Jan 2020
CVE-2019-17016 Open this link in a new tabHow to fix?
Upgrade Debian:10
firefox-esr
to version 68.4.1esr-1~deb10u1 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream firefox-esr
package and not the firefox-esr
package as distributed by Debian
.
See How to fix?
for Debian:10
relevant fixed versions and status.
When pasting a <style> tag from the clipboard into a rich text editor, the CSS sanitizer incorrectly rewrites a @namespace rule. This could allow for injection into certain types of websites resulting in data exfiltration. This vulnerability affects Firefox ESR < 68.4 and Firefox < 72.
References
- ADVISORY
- ADVISORY
- Bugtraq Mailing List
- Bugtraq Mailing List
- Bugtraq Mailing List
- Debian Security Advisory
- Debian Security Advisory
- Debian Security Announcement
- Debian Security Announcement
- GENTOO
- MISC
- Mozilla Security Advisory
- Mozilla Security Advisory
- OpenSuse Security Announcement
- REDHAT
- REDHAT
- RedHat Bugzilla Bug
- RHSA Security Advisory
- RHSA Security Advisory
- RHSA Security Advisory
- RHSA Security Advisory
- RHSA Security Advisory
- RHSA Security Advisory
- SUSE
- UBUNTU
- Ubuntu CVE Tracker
- Ubuntu Security Advisory
- Ubuntu Security Advisory