CVE-2019-11738

{"id": "CVE-2019-11738", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 2.8}]}, "published": "2019-09-27T18:15:11.600", "references": [{"url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html", "tags": ["Mailing List", "Third Party Advisory"], "source": "security@mozilla.org"}, {"url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html", "tags": ["Mailing List", "Third Party Advisory"], "source": "security@mozilla.org"}, {"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1452037", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"], "source": "security@mozilla.org"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2019-25/", "tags": ["Vendor Advisory"], "source": "security@mozilla.org"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2019-26/", "tags": ["Vendor Advisory"], "source": "security@mozilla.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "If a Content Security Policy (CSP) directive is defined that uses a hash-based source that takes the empty string as input, execution of any javascript: URIs will be allowed. This could allow for malicious JavaScript content to be run, bypassing CSP permissions. This vulnerability affects Firefox < 69 and Firefox ESR < 68.1."}, {"lang": "es", "value": "Si una directiva de Content Security Policy (CSP) se define que usa una fuente basada en hash que toma la cadena vac\u00eda como entrada, se permitir\u00e1 la ejecuci\u00f3n de cualquier URI javascript:. Esto podr\u00eda permitir que contenido malicioso de JavaScript sea ejecutado, sin pasar por los permisos de CSP. Esta vulnerabilidad afecta a Firefox versiones anteriores a 69 y Firefox ESR versiones anteriores a 68.1."}], "lastModified": "2022-03-31T18:07:13.633", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "299AA921-46BD-4E9F-8D74-F304F44C6EB4", "versionEndExcluding": "69.0"}, {"criteria": "cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D2105669-4D8A-43BB-8E5D-4398F6444FE0", "versionEndExcluding": "68.1.0"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F1E78106-58E6-4D59-990F-75DA575BFAD9"}, {"criteria": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B620311B-34A3-48A6-82DF-6F078D7A4493"}], "operator": "OR"}]}], "sourceIdentifier": "security@mozilla.org"}