Vulmon Recent Vulnerabilities Product List Research Posts Trends Blog About Contact
6.1
CVSSv3

CVE-2019-19916

Published: 20/12/2019 Updated: 14/01/2020
CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6
CVSS v3 Base Score: 6.1 | Impact Score: 2.7 | Exploitability Score: 2.8
VMScore: 384
Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

Vulnerability Summary

In Midori Browser 0.5.11 (on Windows 10), Content Security Policy (CSP) is not applied correctly to all parts of multipart content sent with the multipart/x-mixed-replace MIME type. This could result in script running where CSP should have blocked it, allowing for cross-site scripting (XSS) and other attacks when the product renders the content as HTML. Remediating this would also need to consider the polyglot case, e.g., a file that is a valid GIF image and also valid JavaScript.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

midori-browser midori 0.5.11

Github Repositories

https://github.com/V1n1v131r4/MIME-Confusion-Attack-on-Midori-Browser

This PoC describes a MIME confusion attack on listed browsers

MIME Confusion Attack This PoC describes a MIME confusion attack on: Midori Browser 0511 on Windows 10 // I published this CVE-2019-19916 (cvemitreorg/cgi-bin/cvenamecgi?name=CVE-2019-19916) Internet Explorer 11535183620 on Windows 10 Safari 1012 (1260338) on MacOS Sierra About the MIME Confusion Attack Scanning the content of a file allows web brow

https://github.com/V1n1v131r4/Bypass-CSP-against-MIME-Confusion-Attack

This post describe how to bypass Content Security Policy against MIME Confusion Attack on browsers

Bypass CSP against MIME Confusion Attack Major browsers have implemented Content Security Policy against MIME confusion attacks since 2018, reported by CVE-2018-5164 and CVE-2019-19916 (my report) which use polyglot image files (GIF, JPG ) with embedded JavaScript code (as described here: blogmozillaorg/security/2016/08/26/mitigating-mime-confusion-attacks-in-firef

References

CWE-79https://blog.mozilla.org/security/2016/08/26/mitigating-mime-confusion-attacks-in-firefox/https://portswigger.net/research/bypassing-csp-using-polyglot-jpegshttps://github.com/V1n1v131r4/MIME-Confusion-Attack-on-Midori-Browser/blob/master/README.mdhttps://nvd.nist.govhttps://github.com/V1n1v131r4/MIME-Confusion-Attack-on-Midori-Browser
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-37884CVE-2024-6003remotebrute forceinformation disclosureCVE-2024-27801CVE-2024-30078CVE-2024-31870CVE-2024-6042
Vulmon Logo Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Product List Vendor List Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook