Main Vulnerability Database SB2020010949

SB2020010949 - Code Injection in firefox-esr (Alpine package)

Published: January 9, 2020

Security Bulletin ID SB2020010949

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Code Injection (CVE-ID: CVE-2019-17016)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to improper input validation when pasting a tag from the clipboard into a rich text editor, the CSS sanitizer incorrectly rewrites a @namespace rule. This could allow for injection into certain types of websites resulting in data exfiltration.

Remediation

Install update from vendor's website.

References

https://git.alpinelinux.org/aports/commit/?id=af0d1d1edd77beb85efb9bbf0ad15000eb319170
https://git.alpinelinux.org/aports/commit/?id=6b5e4482828c460437f6c79a23c688d6d99a14fd
https://git.alpinelinux.org/aports/commit/?id=ed2c5b48f57ac3a3a379f6a0db7ef891fcdbaeeb