CVE-2019-17001 - OpenCVE

A Content-Security-Policy that blocks in-line scripts could be bypassed using an object tag to execute JavaScript in the protected document (cross-site scripting). This is a separate bypass from CVE-2019-17000.*Note: This flaw only affected Firefox 69 and was not present in earlier versions.*. This vulnerability affects Firefox < 70.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:P/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Mozilla	Firefox

Configuration 1 [-]

cpe:2.3:a:mozilla:firefox:69.0:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://bugzilla.mozilla.org/show_bug.cgi?id=1587976
https://www.mozilla.org/security/advisories/mfsa2019-34/

History

No history.

MITRE

Status: PUBLISHED

Assigner: mozilla

Published: 2020-01-08T21:41:25

Updated: 2024-08-05T01:24:48.679Z

Reserved: 2019-09-30T00:00:00

Link: CVE-2019-17001

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-01-08T22:15:11.513

Modified: 2020-01-13T18:16:39.127

Link: CVE-2019-17001

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Firefox", "vendor": "Mozilla", "versions": [{"status": "affected", "version": "before 70"}]}], "descriptions": [{"lang": "en", "value": "A Content-Security-Policy that blocks in-line scripts could be bypassed using an object tag to execute JavaScript in the protected document (cross-site scripting). This is a separate bypass from CVE-2019-17000.*Note: This flaw only affected Firefox 69 and was not present in earlier versions.*. This vulnerability affects Firefox < 70."}], "problemTypes": [{"descriptions": [{"description": "CSP bypass using object tag when script-src 'none' is specified", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-01-08T21:41:25", "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1587976"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.mozilla.org/security/advisories/mfsa2019-34/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@mozilla.org", "ID": "CVE-2019-17001", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Firefox", "version": {"version_data": [{"version_value": "before 70"}]}}]}, "vendor_name": "Mozilla"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A Content-Security-Policy that blocks in-line scripts could be bypassed using an object tag to execute JavaScript in the protected document (cross-site scripting). This is a separate bypass from CVE-2019-17000.*Note: This flaw only affected Firefox 69 and was not present in earlier versions.*. This vulnerability affects Firefox < 70."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CSP bypass using object tag when script-src 'none' is specified"}]}]}, "references": {"reference_data": [{"name": "https://bugzilla.mozilla.org/show_bug.cgi?id=1587976", "refsource": "MISC", "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1587976"}, {"name": "https://www.mozilla.org/security/advisories/mfsa2019-34/", "refsource": "CONFIRM", "url": "https://www.mozilla.org/security/advisories/mfsa2019-34/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T01:24:48.679Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1587976"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.mozilla.org/security/advisories/mfsa2019-34/"}]}]}, "cveMetadata": {"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "assignerShortName": "mozilla", "cveId": "CVE-2019-17001", "datePublished": "2020-01-08T21:41:25", "dateReserved": "2019-09-30T00:00:00", "dateUpdated": "2024-08-05T01:24:48.679Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:69.0:*:*:*:*:*:*:*", "matchCriteriaId": "93786E55-366F-4964-8BA4-D3595EDC2866", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A Content-Security-Policy that blocks in-line scripts could be bypassed using an object tag to execute JavaScript in the protected document (cross-site scripting). This is a separate bypass from CVE-2019-17000.*Note: This flaw only affected Firefox 69 and was not present in earlier versions.*. This vulnerability affects Firefox < 70."}, {"lang": "es", "value": "Una Pol\u00edtica de Seguridad de Contenido que bloquea los scripts en l\u00ednea podr\u00eda ser omitida utilizando una etiqueta de objeto para ejecutar JavaScript en el documento protegido (cross-site scripting). Esta es una omisi\u00f3n separada de CVE-2019-17000. *Nota: Este fallo solo afect\u00f3 a Firefox versi\u00f3n 69 y no estuvo presente en versiones anteriores.*. Esta vulnerabilidad afecta a Firefox versiones anteriores a la versi\u00f3n 70."}], "id": "CVE-2019-17001", "lastModified": "2020-01-13T18:16:39.127", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-01-08T22:15:11.513", "references": [{"source": "security@mozilla.org", "tags": ["Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1587976"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2019-34/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}