CVE-2019-17001

Summary

A Content-Security-Policy that blocks in-line scripts could be bypassed using an object tag to execute JavaScript in the protected document (cross-site scripting). This is a separate bypass from CVE-2019-17000.Note: This flaw only affected Firefox 69 and was not present in earlier versions.. This vulnerability affects Firefox < 70.

Affected Software

VendorProductVersion RangeStatus
MozillaFirefoxbefore 70affected

Weaknesses

  • CSP bypass using object tag when script-src 'none' is specified

ADP Enrichment

CVE Program Container

Additional References

References