PT-2019-4867 · Mozilla+2 · Firefox+2

Matthew Somerville

Published

2019-12-03

Updated

2024-12-12

CVE-2019-17020

CVSS v2.0

7.1

High

Vector

AV:N/AC:M/Au:N/C:N/I:C/A:N

Name of the Vulnerable Software and Affected Versions Firefox versions prior to 72

Description The issue is related to a security policy error that does not apply to the contents of an XSL stylesheet when an XML file is served with a Content Security Policy and includes an XSL stylesheet. This could allow a remote attacker to compromise data integrity, particularly if the XSL sheet includes JavaScript, thereby bypassing the restrictions of the Content Security Policy applied to the XML document.

Recommendations For Firefox versions prior to 72, update to version 72 or later to resolve the issue. As a temporary workaround, consider restricting the use of XSL stylesheets in XML files served with a Content Security Policy until a patch is applied.

Fix

XXE

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-611CWE-20

Related Identifiers

ALT-PU-2020-1110

ALT-PU-2020-1617

ALT-PU-2020-2408

ALT-PU-2020-2933

ALT-PU-2021-1368

BDU:2020-01454

CVE-2019-17020

OPENSUSE-SU-2024:10600-1

OPENSUSE-SU-2024:14572-1

USN-4234-1

USN-4234-2

Affected Products

Alt Linux

Firefox

Ubuntu

PT-2019-4867 · Mozilla+2 · Firefox+2

CVE-2019-17020

Weakness Enumeration

Related Identifiers

Affected Products

References · 1889