Bug 1788726 (CVE-2019-17022) - CVE-2019-17022 Mozilla: CSS sanitization does not escape HTML tags
Summary: CVE-2019-17022 Mozilla: CSS sanitization does not escape HTML tags
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-17022
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1788028 1788029 1788030 1788031 1788032 1788033 1790248 1790249 1790250 1790251 1790252 1790253
Blocks: 1787590
TreeView+ depends on / blocked
 
Reported: 2020-01-07 22:37 UTC by Doran Moppert
Modified: 2021-02-16 20:48 UTC (History)
5 users (show)

Fixed In Version: firefox 68.4, thunderbird 68.4.1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-01-13 20:09:35 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:0085 0 None None None 2020-01-13 14:38:48 UTC
Red Hat Product Errata RHSA-2020:0086 0 None None None 2020-01-13 14:19:49 UTC
Red Hat Product Errata RHSA-2020:0111 0 None None None 2020-01-14 18:39:00 UTC
Red Hat Product Errata RHSA-2020:0120 0 None None None 2020-01-16 11:57:56 UTC
Red Hat Product Errata RHSA-2020:0123 0 None None None 2020-01-16 11:50:13 UTC
Red Hat Product Errata RHSA-2020:0127 0 None None None 2020-01-16 12:52:57 UTC
Red Hat Product Errata RHSA-2020:0292 0 None None None 2020-01-30 09:02:26 UTC
Red Hat Product Errata RHSA-2020:0295 0 None None None 2020-01-30 10:02:39 UTC

Description Doran Moppert 2020-01-07 22:37:35 UTC 
When pasting a `<style>` tag from the clipboard into a rich text editor, the CSS sanitizer does not escape < and > characters. Because the resulting string is pasted directly into the text node of the element this does not result in a direct injection into the webpage; however, if a webpage subsequently copies the node's innerHTML, assigning it to another innerHTML, this would result in an XSS vulnerability. Two WYSIWYG editors were identified with this behavior, more may exist.



External Reference:

https://www.mozilla.org/en-US/security/advisories/mfsa2020-02/#CVE-2019-17022
Comment 1 Doran Moppert 2020-01-07 22:37:38 UTC 
Acknowledgments:

Name: the Mozilla project
Upstream: Michał Bentkowski
Comment 2 errata-xmlrpc 2020-01-13 14:19:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2020:0086 https://access.redhat.com/errata/RHSA-2020:0086
Comment 3 errata-xmlrpc 2020-01-13 14:38:47 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:0085 https://access.redhat.com/errata/RHSA-2020:0085
Comment 4 Product Security DevOps Team 2020-01-13 20:09:35 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-17022
Comment 6 errata-xmlrpc 2020-01-14 18:38:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:0111 https://access.redhat.com/errata/RHSA-2020:0111
Comment 7 errata-xmlrpc 2020-01-16 11:50:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2020:0123 https://access.redhat.com/errata/RHSA-2020:0123
Comment 8 errata-xmlrpc 2020-01-16 11:57:54 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:0120 https://access.redhat.com/errata/RHSA-2020:0120
Comment 9 errata-xmlrpc 2020-01-16 12:52:55 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:0127 https://access.redhat.com/errata/RHSA-2020:0127
Comment 10 errata-xmlrpc 2020-01-30 09:02:22 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:0292 https://access.redhat.com/errata/RHSA-2020:0292
Comment 11 errata-xmlrpc 2020-01-30 10:02:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:0295 https://access.redhat.com/errata/RHSA-2020:0295
Note You need to log in before you can comment on or make changes to this bug.