First published: Fri Dec 20 2019(Updated: )
In Midori Browser 0.5.11 (on Windows 10), Content Security Policy (CSP) is not applied correctly to all parts of multipart content sent with the multipart/x-mixed-replace MIME type. This could result in script running where CSP should have blocked it, allowing for cross-site scripting (XSS) and other attacks when the product renders the content as HTML. Remediating this would also need to consider the polyglot case, e.g., a file that is a valid GIF image and also valid JavaScript.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Midori-browser Midori | =0.5.11 | |
Microsoft Windows 10 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for this issue is CVE-2019-19916.
The severity of CVE-2019-19916 is medium, with a CVSS score of 6.1.
Midori Browser version 0.5.11 on Windows 10 is affected by CVE-2019-19916.
CVE-2019-19916 allows for cross-site scripting (XSS) and other attacks by bypassing Content Security Policy (CSP).
Currently, there is no known patch or mitigation for CVE-2019-19916. It is recommended to update to a newer version of Midori Browser if available or consider using an alternative browser.