CVE-2019-11715

Due to an error while parsing page content, it is possible for properly sanitized user input to be misinterpreted and lead to XSS hazards on web sites in certain circumstances. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.

CVSS v3 6.1 MEDIUM
CVSS v2.0 4.3 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

Vector : AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

4.3^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:N/I:P/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.html
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00073.html
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html
https://bugzilla.mozilla.org/show_bug.cgi?id=1555523	Issue Tracking Permissions Required Vendor Advisory
https://lists.debian.org/debian-lts-announce/2019/08/msg00001.html
https://lists.debian.org/debian-lts-announce/2019/08/msg00002.html
https://security.gentoo.org/glsa/201908-12
https://security.gentoo.org/glsa/201908-20
https://www.mozilla.org/security/advisories/mfsa2019-21/	Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2019-22/	Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2019-23/	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:mozilla:firefox::::::::
	cpe:2.3:a:mozilla:firefox_esr::::::::
	cpe:2.3:a:mozilla:thunderbird::::::::

History

No history.

Information

Published : 2019-07-23 14:15

Updated : 2019-07-29 16:15

NVD link : CVE-2019-11715

Mitre link : CVE-2019-11715

CVE.ORG link : CVE-2019-11715

JSON object : View

Products Affected

mozilla

thunderbird
firefox
firefox_esr

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2019-11715", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.0", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2019-07-23T14:15:15.810", "references": [{"url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html", "source": "security@mozilla.org"}, {"url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.html", "source": "security@mozilla.org"}, {"url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00073.html", "source": "security@mozilla.org"}, {"url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html", "source": "security@mozilla.org"}, {"url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html", "source": "security@mozilla.org"}, {"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1555523", "tags": ["Issue Tracking", "Permissions Required", "Vendor Advisory"], "source": "security@mozilla.org"}, {"url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00001.html", "source": "security@mozilla.org"}, {"url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00002.html", "source": "security@mozilla.org"}, {"url": "https://security.gentoo.org/glsa/201908-12", "source": "security@mozilla.org"}, {"url": "https://security.gentoo.org/glsa/201908-20", "source": "security@mozilla.org"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2019-21/", "tags": ["Vendor Advisory"], "source": "security@mozilla.org"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2019-22/", "tags": ["Vendor Advisory"], "source": "security@mozilla.org"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2019-23/", "tags": ["Vendor Advisory"], "source": "security@mozilla.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Due to an error while parsing page content, it is possible for properly sanitized user input to be misinterpreted and lead to XSS hazards on web sites in certain circumstances. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8."}, {"lang": "es", "value": "Debido a un error mientras se analiza el contenido de p\u00e1gina, es posible que las entradas de los usuarios debidamente saneadas sean interpretadas inapropiadamente y conlleven a riesgos de tipo XSS peligrosos en los sitios web en determinadas circunstancias. Esta vulnerabilidad afecta a Firefox ESR anterior a versi\u00f3n 60.8, Firefox anterior a versi\u00f3n 68 y Thunderbird anterior a versi\u00f3n 60.8."}], "lastModified": "2019-07-29T16:15:11.943", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BB53FE62-B5D2-497B-A7E3-40FFE81A9653", "versionEndExcluding": "68.0"}, {"criteria": "cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B14D1A72-1C76-4DF2-87AC-466428CB5583", "versionEndExcluding": "60.8.0"}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3BD4F2C0-0E41-48C3-8D97-8AA9016D738B", "versionEndExcluding": "60.8.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@mozilla.org"}