CVE-2019-17020 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2019-17020 Interim 1 16 2025-05-01T00:56:26Z current 2021-05-30T14:32:11Z 2025-05-01T00:56:26Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2019-17020 If an XML file is served with a Content Security Policy and the XML file includes an XSL stylesheet, the Content Security Policy will not be applied to the contents of the XSL stylesheet. If the XSL sheet e.g. includes JavaScript, it would bypass any of the restrictions of the Content Security Policy applied to the XML document. This vulnerability affects Firefox < 72. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/3HI2RC7AJAHY74Q6MK7GNGWU6TITB22V/ E-Mail link for openSUSE-SU-2024:14572-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings SUSE CaaS Platform 4.0 SUSE Enterprise Storage 6 SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS SUSE Linux Enterprise Server 15 SP1-LTSS SUSE Linux Enterprise Server for SAP Applications 15 SP1 openSUSE Tumbleweed MozillaFirefox MozillaFirefox-92.0-1.2 MozillaFirefox-branding-upstream-92.0-1.2 MozillaFirefox-devel MozillaFirefox-devel-92.0-1.2 MozillaFirefox-translations-common MozillaFirefox-translations-common-92.0-1.2 MozillaFirefox-translations-other MozillaFirefox-translations-other-92.0-1.2 firefox-esr-128.5.1-1.1 firefox-esr-branding-upstream-128.5.1-1.1 firefox-esr-translations-common-128.5.1-1.1 firefox-esr-translations-other-128.5.1-1.1 MozillaFirefox-92.0-1.2 as a component of openSUSE Tumbleweed MozillaFirefox-branding-upstream-92.0-1.2 as a component of openSUSE Tumbleweed MozillaFirefox-devel-92.0-1.2 as a component of openSUSE Tumbleweed MozillaFirefox-translations-common-92.0-1.2 as a component of openSUSE Tumbleweed MozillaFirefox-translations-other-92.0-1.2 as a component of openSUSE Tumbleweed firefox-esr-128.5.1-1.1 as a component of openSUSE Tumbleweed firefox-esr-branding-upstream-128.5.1-1.1 as a component of openSUSE Tumbleweed firefox-esr-translations-common-128.5.1-1.1 as a component of openSUSE Tumbleweed firefox-esr-translations-other-128.5.1-1.1 as a component of openSUSE Tumbleweed MozillaFirefox as a component of SUSE CaaS Platform 4.0 MozillaFirefox-devel as a component of SUSE CaaS Platform 4.0 MozillaFirefox-translations-common as a component of SUSE CaaS Platform 4.0 MozillaFirefox-translations-other as a component of SUSE CaaS Platform 4.0 MozillaFirefox as a component of SUSE Enterprise Storage 6 MozillaFirefox as a component of SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS MozillaFirefox-devel as a component of SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS MozillaFirefox-translations-common as a component of SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS MozillaFirefox-translations-other as a component of SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS MozillaFirefox as a component of SUSE Linux Enterprise Server 15 SP1-LTSS MozillaFirefox-devel as a component of SUSE Linux Enterprise Server 15 SP1-LTSS MozillaFirefox-translations-common as a component of SUSE Linux Enterprise Server 15 SP1-LTSS MozillaFirefox-translations-other as a component of SUSE Linux Enterprise Server 15 SP1-LTSS MozillaFirefox as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP1 MozillaFirefox-devel as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP1 MozillaFirefox-translations-common as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP1 MozillaFirefox-translations-other as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP1 If an XML file is served with a Content Security Policy and the XML file includes an XSL stylesheet, the Content Security Policy will not be applied to the contents of the XSL stylesheet. If the XSL sheet e.g. includes JavaScript, it would bypass any of the restrictions of the Content Security Policy applied to the XML document. This vulnerability affects Firefox < 72. CVE-2019-17020 openSUSE Tumbleweed:MozillaFirefox-92.0-1.2 openSUSE Tumbleweed:MozillaFirefox-branding-upstream-92.0-1.2 openSUSE Tumbleweed:MozillaFirefox-devel-92.0-1.2 openSUSE Tumbleweed:MozillaFirefox-translations-common-92.0-1.2 openSUSE Tumbleweed:MozillaFirefox-translations-other-92.0-1.2 openSUSE Tumbleweed:firefox-esr-128.5.1-1.1 openSUSE Tumbleweed:firefox-esr-branding-upstream-128.5.1-1.1 openSUSE Tumbleweed:firefox-esr-translations-common-128.5.1-1.1 openSUSE Tumbleweed:firefox-esr-translations-other-128.5.1-1.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N