CVE-2019-11744

 

Published at: - 27-09-2019 08:15

Last modified: - 24-09-2022 03:03

Total changes: - 2

Description

Some HTML elements, such as <title> and <textarea>, can contain literal angle brackets without treating them as markup. It is possible to pass a literal closing tag to .innerHTML on these elements, and subsequent content after that will be parsed as if it were outside the tag. This can lead to XSS if a site does not filter user input as strictly for these elements as it does for other elements. This vulnerability affects Firefox < 69, Thunderbird < 68.1, Thunderbird < 60.9, Firefox ESR < 60.9, and Firefox ESR < 68.1.

Common Vulnerability Scoring System (CVSS)

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

 

Verification logic

 

Reference

• https://www.mozilla.org/security/advisories/mfsa2019-29/
• https://www.mozilla.org/security/advisories/mfsa2019-30/
• https://bugzilla.mozilla.org/show_bug.cgi?id=1562033
• https://www.mozilla.org/security/advisories/mfsa2019-27/
• https://www.mozilla.org/security/advisories/mfsa2019-25/
• https://www.mozilla.org/security/advisories/mfsa2019-26/
• openSUSE-SU-2019:2249-
• openSUSE-SU-2019:2248-
• openSUSE-SU-2019:2251-
• openSUSE-SU-2019:2260-
• USN-4150-1-
• GLSA-201911-07-

 

Keywords

NVD

 

CVE-2019-11744

 

CVE

 

Common vulnerabilities & exposures

 

CVSS

 

Common vulnerability scoring system

 

Security

 

Vulnerabilities

 

Exposures