PT-2019-5021 · Mozilla+2 · Firefox+2

Yangzheng Li

·

Published

2019-10-22

·

Updated

2024-12-12

·

CVE-2019-17000

CVSS v3.1

6.1

Medium

VectorAV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Name of the Vulnerable Software and Affected Versions Firefox versions prior to 70
Description The issue is related to an object tag with a data URI not correctly inheriting the document's Content Security Policy, allowing a CSP bypass in a cross-origin frame if the document's policy explicitly allows data: URIs. This could potentially allow a remote attacker to gain unauthorized access to confidential data and impact data integrity.
Recommendations For versions prior to 70, update to version 70 or later to resolve the issue. As a temporary workaround, consider restricting the use of data: URIs in the Content Security Policy to minimize the risk of exploitation.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

ALT-PU-2019-3087
ALT-PU-2020-1617
ALT-PU-2020-2408
ALT-PU-2020-2933
ALT-PU-2021-1368
BDU:2020-01653
CVE-2019-17000
OPENSUSE-SU-2024:10600-1
OPENSUSE-SU-2024:14572-1
USN-4165-1
USN-4165-2

Affected Products

Alt Linux
Firefox
Ubuntu