| Name | CVE-2019-11715 |
| Description | Due to an error while parsing page content, it is possible for properly sanitized user input to be misinterpreted and lead to XSS hazards on web sites in certain circumstances. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-1869-1, DLA-1870-1, DSA-4479-1, DSA-4482-1 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| firefox (PTS) | sid | 132.0.2-1 | fixed |
| firefox-esr (PTS) | jessie, jessie (lts) | 68.9.0esr-1~deb8u2 | fixed |
| stretch (security), stretch (lts), stretch | 91.11.0esr-1~deb9u1 | fixed | |
| buster (security), buster, buster (lts) | 115.12.0esr-1~deb10u1 | fixed | |
| bullseye | 115.14.0esr-1~deb11u1 | fixed | |
| bullseye (security) | 128.4.0esr-1~deb11u1 | fixed | |
| bookworm | 128.3.1esr-1~deb12u1 | fixed | |
| bookworm (security) | 128.4.0esr-1~deb12u1 | fixed | |
| sid, trixie | 128.4.0esr-1 | fixed | |
| thunderbird (PTS) | jessie, jessie (lts) | 1:68.9.0-1~deb8u2 | fixed |
| stretch (security), stretch (lts), stretch | 1:91.10.0-1~deb9u1 | fixed | |
| buster (security), buster, buster (lts) | 1:115.12.0-1~deb10u1 | fixed | |
| bullseye | 1:115.12.0-1~deb11u1 | fixed | |
| bullseye (security) | 1:128.4.3esr-1~deb11u1 | fixed | |
| bookworm | 1:115.16.0esr-1~deb12u1 | fixed | |
| bookworm (security) | 1:128.4.3esr-1~deb12u1 | fixed | |
| sid, trixie | 1:128.4.3esr-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| firefox | source | (unstable) | 68.0-1 | |||
| firefox-esr | source | wheezy | (unfixed) | end-of-life | ||
| firefox-esr | source | jessie | 60.8.0esr-1~deb8u1 | DLA-1869-1 | ||
| firefox-esr | source | stretch | 60.8.0esr-1~deb9u1 | DSA-4479-1 | ||
| firefox-esr | source | buster | 60.8.0esr-1~deb10u1 | DSA-4479-1 | ||
| firefox-esr | source | (unstable) | 60.8.0esr-1 | |||
| thunderbird | source | wheezy | (unfixed) | end-of-life | ||
| thunderbird | source | jessie | 1:60.8.0-1~deb8u1 | DLA-1870-1 | ||
| thunderbird | source | stretch | 1:60.8.0-1~deb9u1 | DSA-4482-1 | ||
| thunderbird | source | buster | 1:60.8.0-1~deb10u1 | DSA-4482-1 | ||
| thunderbird | source | (unstable) | 1:60.8.0-1 |
https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11715
https://www.mozilla.org/en-US/security/advisories/mfsa2019-22/#CVE-2019-11715
https://www.mozilla.org/en-US/security/advisories/mfsa2019-23/#CVE-2019-11715