PT-2019-4828 · Mozilla+5 · Firefox Esr+7
Gareth Heyes
·
Published
2019-10-22
·
Updated
2024-12-12
·
CVE-2019-11763
CVSS v3.1
6.1
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Firefox versions prior to 70
Thunderbird versions prior to 68.2
Firefox ESR versions prior to 68.2
Description
The issue arises from the incorrect handling of null bytes when processing HTML entities, leading to incorrect parsing by Firefox. This could result in HTML comment text being treated as HTML, potentially leading to cross-site scripting (XSS) in certain web applications. Additionally, it could allow HTML entities to be masked from filters, enabling the use of entities to hide actual characters of interest from filters. The vulnerability may allow a remote attacker to impact data integrity.
Recommendations
For Firefox versions prior to 70, update to version 70 or later.
For Thunderbird versions prior to 68.2, update to version 68.2 or later.
For Firefox ESR versions prior to 68.2, update to version 68.2 or later.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Centos
Firefox
Firefox Esr
Red Hat
Suse
Thunderbird
Ubuntu