CVE-2019-17022

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2019-17022

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-17022.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2019-17022

Downstream

DEBIAN-CVE-2019-17022

DLA-2061-1

DLA-2071-1

DSA-4600-1

DSA-4603-1

RHSA-2020:0085

RHSA-2020:0086

RHSA-2020:0111

RHSA-2020:0120

RHSA-2020:0123

RHSA-2020:0127

RHSA-2020:0292

RHSA-2020:0295

SUSE-SU-2020:0068-1

SUSE-SU-2020:0078-1

SUSE-SU-2020:0142-1

SUSE-SU-2020:14268-1

UBUNTU-CVE-2019-17022

USN-4234-1

USN-4241-1

USN-4335-1

openSUSE-SU-2020:0060-1

openSUSE-SU-2020:0094-1

openSUSE-SU-2024:10600-1

openSUSE-SU-2024:10601-1

openSUSE-SU-2024:14572-1

Related

Published

2020-01-08T22:15:12Z

Modified

2025-08-09T20:01:27Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

When pasting a <style> tag from the clipboard into a rich text editor, the CSS sanitizer does not escape < and > characters. Because the resulting string is pasted directly into the text node of the element this does not result in a direct injection into the webpage; however, if a webpage subsequently copies the node's innerHTML, assigning it to another innerHTML, this would result in an XSS vulnerability. Two WYSIWYG editors were identified with this behavior, more may exist. This vulnerability affects Firefox ESR < 68.4 and Firefox < 72.

References

Affected packages