CVE-2019-11738

CVSS v3.1 6.3 (Medium)

CVSS v2.0 6.8 (Medium)

EPSS 0.21 % (59^th)

Affected Products 3

Advisories 11

If a Content Security Policy (CSP) directive is defined that uses a hash-based source that takes the empty string as input, execution of any javascript: URIs will be allowed. This could allow for malicious JavaScript content to be run, bypassing CSP permissions. This vulnerability affects Firefox < 69 and Firefox ESR < 68.1.

Weaknesses

CWE-NVD-noinfo

CVE Status: PUBLISHED
CNA: Mozilla Corporation
Published Date: 2019-09-27 18:15:11
(5 years ago)
Updated Date: 2022-03-31 18:07:13
(2 years ago)

Affected Products

Mozilla

Firefox
Firefox Esr

Opensuse

Leap

Configuration #1

		CPE23	From	Up To
	Mozilla Firefox prior 69.0 version	cpe:2.3:a:mozilla:firefox		< 69.0
	Mozilla Firefox Esr prior 68.1.0 version	cpe:2.3:a:mozilla:firefox_esr		< 68.1.0

Configuration #2

		CPE23	From	Up To
	Opensuse Leap 15.0	cpe:2.3:o:opensuse:leap:15.0
	Opensuse Leap 15.1	cpe:2.3:o:opensuse:leap:15.1