CVE-2019-11738

 

Published at: - 27-09-2019 08:15

Last modified: - 24-09-2022 03:03

Total changes: - 4

Description

If a Content Security Policy (CSP) directive is defined that uses a hash-based source that takes the empty string as input, execution of any javascript: URIs will be allowed. This could allow for malicious JavaScript content to be run, bypassing CSP permissions. This vulnerability affects Firefox < 69 and Firefox ESR < 68.1.

Common Vulnerability Scoring System (CVSS)

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

 

Verification logic

 

Reference

• https://bugzilla.mozilla.org/show_bug.cgi?id=1452037
• https://www.mozilla.org/security/advisories/mfsa2019-25/
• https://www.mozilla.org/security/advisories/mfsa2019-26/
• openSUSE-SU-2019:2251-Mailing List, Third Party Advisory
• openSUSE-SU-2019:2260-Mailing List, Third Party Advisory

 

Keywords

NVD

 

CVE-2019-11738

 

CVE

 

Common vulnerabilities & exposures

 

CVSS

 

Common vulnerability scoring system

 

Security

 

Vulnerabilities

 

Exposures