CVE-2019-19916

Name of the Vulnerable Software and Affected Versions Midori Browser version 0.5.11

Description The issue arises from incorrect application of Content Security Policy (CSP) to multipart content sent with the multipart/x-mixed-replace MIME type. This could lead to script execution in areas where CSP should have blocked it, potentially allowing cross-site scripting (XSS) and other attacks when the product renders the content as HTML. The problem also involves consideration of the polyglot case, where a file can be both a valid image (e.g., GIF) and valid JavaScript.

Recommendations For Midori Browser version 0.5.11, consider updating to a version where this issue is resolved, as the current version does not correctly apply CSP to all parts of multipart content. As a temporary workaround, consider restricting the rendering of multipart content to minimize the risk of exploitation.