Vulnerability Details : CVE-2019-11763
Failure to correctly handle null bytes when processing HTML entities resulted in Firefox incorrectly parsing these entities. This could have led to HTML comment text being treated as HTML which could have led to XSS in a web application under certain conditions. It could have also led to HTML entities being masked from filters - enabling the use of entities to mask the actual characters of interest from filters. This vulnerability affects Firefox < 70, Thunderbird < 68.2, and Firefox ESR < 68.2.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2019-11763
- cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-11763
0.15%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 51 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-11763
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST | |
6.1
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
2.8
|
2.7
|
NIST |
CWE ids for CVE-2019-11763
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-11763
-
https://www.mozilla.org/security/advisories/mfsa2019-35/
Security vulnerabilities fixed in - Thunderbird 68.2 — MozillaVendor Advisory
-
https://www.mozilla.org/security/advisories/mfsa2019-34/
Security vulnerabilities fixed in - Firefox 70 — MozillaVendor Advisory
-
https://bugzilla.mozilla.org/show_bug.cgi?id=1584216
Access DeniedIssue Tracking;Permissions Required
-
https://usn.ubuntu.com/4335-1/
USN-4335-1: Thunderbird vulnerabilities | Ubuntu security noticesThird Party Advisory
-
https://www.mozilla.org/security/advisories/mfsa2019-33/
Security vulnerabilities fixed in - Firefox ESR 68.2 — MozillaVendor Advisory
-
https://security.gentoo.org/glsa/202003-10
Mozilla Thunderbird: Multiple vulnerabilities (GLSA 202003-10) — Gentoo securityThird Party Advisory
Jump to