CVE-2019-11763

Advisory lineage Upstream: 0 Downstream: 28

Downstream

DEBIAN-CVE-2019-11763 DLA-1987-1 DLA-1997-1 DSA-4549-1 DSA-4571-1 MGASA-2019-0315

Modified

Published: 08 Jan 2020, 19:59

Last modified:04 Aug 2024, 23:03

Vulnerability Summary

Overall Risk (default)

medium

25/100

CVSS Score

6.1 MEDIUM

v3.1 (nvd)

EPSS Score

0.8% LOW

1% probability -1.43%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

08 Jan 2020, 19:59

Published

Vulnerability first disclosed

04 Aug 2024, 23:03

Last Modified

Vulnerability information updated

Description

Failure to correctly handle null bytes when processing HTML entities resulted in Firefox incorrectly parsing these entities. This could have led to HTML comment text being treated as HTML which could have led to XSS in a web application under certain conditions. It could have also led to HTML entities being masked from filters - enabling the use of entities to mask the actual characters of interest from filters. This vulnerability affects Firefox < 70, Thunderbird < 68.2, and Firefox ESR < 68.2.

CVSS Metrics

v3.1•MEDIUM•Score: 6.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
v2.0•MEDIUM•Score: 4.3AV:N/AC:M/Au:N/C:N/I:P/A:N

EPSS Trends

Current EPSS score: 0.80%• Percentile: 74%

Techniques & Countermeasures

CWE-79•Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Affected Systems

canonical•ubuntu_linux
16.04
mozilla•firefox
< 70.0 | < 70
mozilla•firefox_esr
< 68.2
mozilla•thunderbird
< 68.2