Action not permitted
Modal body text goes here.
wid-sec-w-2023-0459
Vulnerability from csaf_certbund
Published
2019-07-09 22:00
Modified
2024-02-19 23:00
Summary
Mozilla Firefox/Firefox ESR: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Firefox ist ein Open Source Web Browser.
ESR ist die Variante mit verlängertem Support.
Angriff
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Mozilla Firefox und Mozilla Firefox ESR ausnutzen, um einen Denial of Service Angriff durchzuführen, Daten zu manipulieren, Sicherheitsmechanismen zu umgehen, vertrauliche Daten einzusehen oder Code mit den Privilegien des Angegriffenen zur Ausführung zu bringen.
Betroffene Betriebssysteme
- UNIX
- Linux
- MacOS X
- Windows
{ "document": { "aggregate_severity": { "text": "hoch" }, "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "de-DE", "notes": [ { "category": "legal_disclaimer", "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen." }, { "category": "description", "text": "Firefox ist ein Open Source Web Browser. \r\nESR ist die Variante mit verl\u00e4ngertem Support.", "title": "Produktbeschreibung" }, { "category": "summary", "text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Mozilla Firefox und Mozilla Firefox ESR ausnutzen, um einen Denial of Service Angriff durchzuf\u00fchren, Daten zu manipulieren, Sicherheitsmechanismen zu umgehen, vertrauliche Daten einzusehen oder Code mit den Privilegien des Angegriffenen zur Ausf\u00fchrung zu bringen.", "title": "Angriff" }, { "category": "general", "text": "- UNIX\n- Linux\n- MacOS X\n- Windows", "title": "Betroffene Betriebssysteme" } ], "publisher": { "category": "other", "contact_details": "csaf-provider@cert-bund.de", "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik", "namespace": "https://www.bsi.bund.de" }, "references": [ { "category": "self", "summary": "WID-SEC-W-2023-0459 - CSAF Version", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2019/wid-sec-w-2023-0459.json" }, { "category": "self", "summary": "WID-SEC-2023-0459 - Portal Version", "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-0459" }, { "category": "external", "summary": "Mozilla Security Advisories vom 2019-07-09", "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/" }, { "category": "external", "summary": "Mozilla Security Advisories vom 2019-07-09", "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2019-22/" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2019:1764 vom 2019-07-11", "url": "https://access.redhat.com/errata/RHSA-2019:1764" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2019:1765 vom 2019-07-12", "url": "https://access.redhat.com/errata/RHSA-2019:1765" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2019:1763 vom 2019-07-12", "url": "https://access.redhat.com/errata/RHSA-2019:1763" }, { "category": "external", "summary": "Oracle Linux Security Advisory ELSA-2019-1765 vom 2019-07-12", "url": "http://linux.oracle.com/errata/ELSA-2019-1765.html" }, { "category": "external", "summary": "Oracle Linux Security Advisory ELSA-2019-1763 vom 2019-07-12", "url": "http://linux.oracle.com/errata/ELSA-2019-1763.html" }, { "category": "external", "summary": "Debian Security Advisory DSA-4479 vom 2019-07-12", "url": "http://www.debian.org/security/2019/dsa-4479" }, { "category": "external", "summary": "CentOS-announce CESA-2019:1763 vom 2019-07-11", "url": "https://lists.centos.org/pipermail/centos-announce/2019-July/023365.html" }, { "category": "external", "summary": "CentOS-announce CESA-2019:1765 vom 2019-07-11", "url": "https://lists.centos.org/pipermail/centos-announce/2019-July/023364.html" }, { "category": "external", "summary": "Ubuntu Security Notice USN-4060-1 vom 2019-07-16", "url": "https://usn.ubuntu.com/4060-2/" }, { "category": "external", "summary": "Ubuntu Security Notice USN-4060-1 vom 2019-07-16", "url": "https://usn.ubuntu.com/4060-1/" }, { "category": "external", "summary": "Arch Linux Security Advisory ASA-201907-4 vom 2019-07-17", "url": "https://security.archlinux.org/ASA-201907-4" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2019:1869-1 vom 2019-07-17", "url": "https://www.suse.com/support/update/announcement/2019/suse-su-20191869-1.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2019:14124-1 vom 2019-07-17", "url": "https://www.suse.com/support/update/announcement/2019/suse-su-201914124-1.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2019:1861-1 vom 2019-07-17", "url": "https://www.suse.com/support/update/announcement/2019/suse-su-20191861-1.html" }, { "category": "external", "summary": "Ubuntu Security Notice USN-4054-1 vom 2019-07-26", "url": "https://usn.ubuntu.com/4054-2/" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2019:1861-2 vom 2019-07-29", "url": "https://www.suse.com/support/update/announcement/2019/suse-su-20191861-2.html" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2019:1951 vom 2019-07-31", "url": "https://access.redhat.com/errata/RHSA-2019:1951" }, { "category": "external", "summary": "GENTOO Security Advisory GLSA201908-12 vom 2019-08-15", "url": "https://security.gentoo.org/glsa/201908-12" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2019:1861-3 vom 2019-08-17", "url": "https://www.suse.com/support/update/announcement/2019/suse-su-20191861-3.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2019:2545-1 vom 2019-10-04", "url": "https://www.suse.com/support/update/announcement/2019/suse-su-20192545-1.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2019:2515-1 vom 2019-10-03", "url": "https://www.suse.com/support/update/announcement/2019/suse-su-20192515-1.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2019:2620-1 vom 2019-10-09", "url": "https://www.suse.com/support/update/announcement/2019/suse-su-20192620-1.html" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2019:4190 vom 2019-12-10", "url": "https://access.redhat.com/errata/RHSA-2019:4190" }, { "category": "external", "summary": "AVAYA Security Advisory ASA-2019-247 vom 2019-12-15", "url": "https://downloads.avaya.com/css/P8/documents/101062926" }, { "category": "external", "summary": "CentOS Security Advisory CESA-2019:4190 vom 2019-12-24", "url": "http://centos-announce.2309468.n4.nabble.com/CentOS-announce-CESA-2019-4190-Important-CentOS-7-nss-util-Security-Update-tp4645789.html" }, { "category": "external", "summary": "CentOS Security Advisory CESA-2019:4190 vom 2019-12-24", "url": "http://centos-announce.2309468.n4.nabble.com/CentOS-announce-CESA-2019-4190-Important-CentOS-7-nss-Security-Update-tp4645792.html" }, { "category": "external", "summary": "CentOS Security Advisory CESA-2019:4190 vom 2019-12-24", "url": "http://centos-announce.2309468.n4.nabble.com/CentOS-announce-CESA-2019-4190-Important-CentOS-7-nss-softokn-Security-Update-tp4645791.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2019:3395-1 vom 2019-12-30", "url": "https://www.suse.com/support/update/announcement/2019/suse-su-20193395-1.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2020:14418-1 vom 2020-07-06", "url": "http://lists.suse.com/pipermail/sle-security-updates/2020-July/007079.html" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2020:4076 vom 2020-09-29", "url": "https://access.redhat.com/errata/RHSA-2020:4076" }, { "category": "external", "summary": "Debian Security Advisory DLA-2388 vom 2020-09-29", "url": "https://lists.debian.org/debian-lts-announce/2020/debian-lts-announce-202009/msg00029.html" }, { "category": "external", "summary": "AVAYA Security Advisory ASA-2020-119 vom 2020-10-10", "url": "https://downloads.avaya.com/css/P8/documents/101071288" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2021:0949 vom 2021-03-22", "url": "https://access.redhat.com/errata/RHSA-2021:0949" }, { "category": "external", "summary": "Amazon Linux Security Advisory ALAS-2021-1522 vom 2021-07-13", "url": "https://alas.aws.amazon.com/ALAS-2021-1522.html" }, { "category": "external", "summary": "Amazon Linux Security Advisory ALAS-2023-1942 vom 2023-02-22", "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-1942.html" }, { "category": "external", "summary": "Amazon Linux Security Advisory ALAS-2024-2470 vom 2024-02-19", "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2470.html" } ], "source_lang": "en-US", "title": "Mozilla Firefox/Firefox ESR: Mehrere Schwachstellen", "tracking": { "current_release_date": "2024-02-19T23:00:00.000+00:00", "generator": { "date": "2024-02-20T10:07:17.151+00:00", "engine": { "name": "BSI-WID", "version": "1.3.0" } }, "id": "WID-SEC-W-2023-0459", "initial_release_date": "2019-07-09T22:00:00.000+00:00", "revision_history": [ { "date": "2019-07-09T22:00:00.000+00:00", "number": "1", "summary": "Initiale Fassung" }, { "date": "2019-07-11T22:00:00.000+00:00", "number": "2", "summary": "Neue Updates von Red Hat, Oracle Linux und Debian aufgenommen" }, { "date": "2019-07-14T22:00:00.000+00:00", "number": "3", "summary": "Neue Updates von CentOS" }, { "date": "2019-07-16T22:00:00.000+00:00", "number": "4", "summary": "Neue Updates von Ubuntu aufgenommen" }, { "date": "2019-07-16T22:00:00.000+00:00", "number": "5", "summary": "Neue Updates von Arch Linux aufgenommen" }, { "date": "2019-07-17T22:00:00.000+00:00", "number": "6", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2019-07-25T22:00:00.000+00:00", "number": "7", "summary": "Neue Updates von Ubuntu aufgenommen" }, { "date": "2019-07-29T22:00:00.000+00:00", "number": "8", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2019-07-30T22:00:00.000+00:00", "number": "9", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2019-08-15T22:00:00.000+00:00", "number": "10", "summary": "Neue Updates von GENTOO aufgenommen" }, { "date": "2019-08-18T22:00:00.000+00:00", "number": "11", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2019-10-03T22:00:00.000+00:00", "number": "12", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2019-10-09T22:00:00.000+00:00", "number": "13", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2019-12-10T23:00:00.000+00:00", "number": "14", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2019-12-15T23:00:00.000+00:00", "number": "15", "summary": "Neue Updates von AVAYA aufgenommen" }, { "date": "2019-12-26T23:00:00.000+00:00", "number": "16", "summary": "Neue Updates von CentOS aufgenommen" }, { "date": "2019-12-30T23:00:00.000+00:00", "number": "17", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2020-07-06T22:00:00.000+00:00", "number": "18", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2020-09-29T22:00:00.000+00:00", "number": "19", "summary": "Neue Updates von Red Hat und Debian aufgenommen" }, { "date": "2020-10-11T22:00:00.000+00:00", "number": "20", "summary": "Neue Updates von AVAYA aufgenommen" }, { "date": "2021-03-21T23:00:00.000+00:00", "number": "21", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2021-07-12T22:00:00.000+00:00", "number": "22", "summary": "Neue Updates von Amazon aufgenommen" }, { "date": "2023-02-22T23:00:00.000+00:00", "number": "23", "summary": "Neue Updates von Amazon aufgenommen" }, { "date": "2024-02-19T23:00:00.000+00:00", "number": "24", "summary": "Neue Updates von Amazon aufgenommen" } ], "status": "final", "version": "24" } }, "product_tree": { "branches": [ { "branches": [ { "category": "product_name", "name": "Amazon Linux 2", "product": { "name": "Amazon Linux 2", "product_id": "398363", "product_identification_helper": { "cpe": "cpe:/o:amazon:linux_2:-" } } } ], "category": "vendor", "name": "Amazon" }, { "branches": [ { "category": "product_name", "name": "Debian Linux", "product": { "name": "Debian Linux", "product_id": "2951", "product_identification_helper": { "cpe": "cpe:/o:debian:debian_linux:-" } } } ], "category": "vendor", "name": "Debian" }, { "branches": [ { "category": "product_name", "name": "Gentoo Linux", "product": { "name": "Gentoo Linux", "product_id": "T012167", "product_identification_helper": { "cpe": "cpe:/o:gentoo:linux:-" } } } ], "category": "vendor", "name": "Gentoo" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "\u003c 68", "product": { "name": "Mozilla Firefox \u003c 68", "product_id": "T014516", "product_identification_helper": { "cpe": "cpe:/a:mozilla:firefox:68" } } } ], "category": "product_name", "name": "Firefox" }, { "branches": [ { "category": "product_version_range", "name": "\u003c 60.8", "product": { "name": "Mozilla Firefox ESR \u003c 60.8", "product_id": "162606", "product_identification_helper": { "cpe": "cpe:/a:mozilla:firefox_esr:10.0" } } } ], "category": "product_name", "name": "Firefox ESR" } ], "category": "vendor", "name": "Mozilla" }, { "branches": [ { "category": "product_name", "name": "Open Source Arch Linux", "product": { "name": "Open Source Arch Linux", "product_id": "T013312", "product_identification_helper": { "cpe": "cpe:/o:archlinux:archlinux:-" } } }, { "category": "product_name", "name": "Open Source CentOS", "product": { "name": "Open Source CentOS", "product_id": "1727", "product_identification_helper": { "cpe": "cpe:/o:centos:centos:-" } } } ], "category": "vendor", "name": "Open Source" }, { "branches": [ { "category": "product_name", "name": "Oracle Linux", "product": { "name": "Oracle Linux", "product_id": "T004914", "product_identification_helper": { "cpe": "cpe:/o:oracle:linux:-" } } } ], "category": "vendor", "name": "Oracle" }, { "branches": [ { "category": "product_name", "name": "Red Hat Enterprise Linux", "product": { "name": "Red Hat Enterprise Linux", "product_id": "67646", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:-" } } } ], "category": "vendor", "name": "Red Hat" }, { "branches": [ { "category": "product_name", "name": "SUSE Linux", "product": { "name": "SUSE Linux", "product_id": "T002207", "product_identification_helper": { "cpe": "cpe:/o:suse:suse_linux:-" } } } ], "category": "vendor", "name": "SUSE" }, { "branches": [ { "category": "product_name", "name": "Ubuntu Linux", "product": { "name": "Ubuntu Linux", "product_id": "T000126", "product_identification_helper": { "cpe": "cpe:/o:canonical:ubuntu_linux:-" } } } ], "category": "vendor", "name": "Ubuntu" } ] }, "vulnerabilities": [ { "cve": "CVE-2019-11709", "notes": [ { "category": "description", "text": "In Mozilla Firefox und Mozilla Firefox ESR existieren mehrere Schwachstellen. Ein Angreifer kann diese nutzen und einen Denial of Service Angriff durchf\u00fchren, Daten manipulieren, Sicherheitsmechanismen umgehen, vertrauliche Daten einsehen oder Code mit den Privilegien des Angegriffenen zur Ausf\u00fchrung bringen. Zur erfolgreichen Ausnutzung dieser Schwachstelle muss der Angreifer den Benutzer dazu bringen eine modifizierte URL oder Webseite in seinem Webbrowser zu \u00f6ffnen." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "T013312", "398363", "T012167", "1727", "T004914" ] }, "release_date": "2019-07-09T22:00:00Z", "title": "CVE-2019-11709" }, { "cve": "CVE-2019-11710", "notes": [ { "category": "description", "text": "In Mozilla Firefox und Mozilla Firefox ESR existieren mehrere Schwachstellen. Ein Angreifer kann diese nutzen und einen Denial of Service Angriff durchf\u00fchren, Daten manipulieren, Sicherheitsmechanismen umgehen, vertrauliche Daten einsehen oder Code mit den Privilegien des Angegriffenen zur Ausf\u00fchrung bringen. Zur erfolgreichen Ausnutzung dieser Schwachstelle muss der Angreifer den Benutzer dazu bringen eine modifizierte URL oder Webseite in seinem Webbrowser zu \u00f6ffnen." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "T013312", "398363", "T012167", "1727", "T004914" ] }, "release_date": "2019-07-09T22:00:00Z", "title": "CVE-2019-11710" }, { "cve": "CVE-2019-11711", "notes": [ { "category": "description", "text": "In Mozilla Firefox und Mozilla Firefox ESR existieren mehrere Schwachstellen. Ein Angreifer kann diese nutzen und einen Denial of Service Angriff durchf\u00fchren, Daten manipulieren, Sicherheitsmechanismen umgehen, vertrauliche Daten einsehen oder Code mit den Privilegien des Angegriffenen zur Ausf\u00fchrung bringen. Zur erfolgreichen Ausnutzung dieser Schwachstelle muss der Angreifer den Benutzer dazu bringen eine modifizierte URL oder Webseite in seinem Webbrowser zu \u00f6ffnen." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "T013312", "398363", "T012167", "1727", "T004914" ] }, "release_date": "2019-07-09T22:00:00Z", "title": "CVE-2019-11711" }, { "cve": "CVE-2019-11712", "notes": [ { "category": "description", "text": "In Mozilla Firefox und Mozilla Firefox ESR existieren mehrere Schwachstellen. Ein Angreifer kann diese nutzen und einen Denial of Service Angriff durchf\u00fchren, Daten manipulieren, Sicherheitsmechanismen umgehen, vertrauliche Daten einsehen oder Code mit den Privilegien des Angegriffenen zur Ausf\u00fchrung bringen. Zur erfolgreichen Ausnutzung dieser Schwachstelle muss der Angreifer den Benutzer dazu bringen eine modifizierte URL oder Webseite in seinem Webbrowser zu \u00f6ffnen." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "T013312", "398363", "T012167", "1727", "T004914" ] }, "release_date": "2019-07-09T22:00:00Z", "title": "CVE-2019-11712" }, { "cve": "CVE-2019-11713", "notes": [ { "category": "description", "text": "In Mozilla Firefox und Mozilla Firefox ESR existieren mehrere Schwachstellen. Ein Angreifer kann diese nutzen und einen Denial of Service Angriff durchf\u00fchren, Daten manipulieren, Sicherheitsmechanismen umgehen, vertrauliche Daten einsehen oder Code mit den Privilegien des Angegriffenen zur Ausf\u00fchrung bringen. Zur erfolgreichen Ausnutzung dieser Schwachstelle muss der Angreifer den Benutzer dazu bringen eine modifizierte URL oder Webseite in seinem Webbrowser zu \u00f6ffnen." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "T013312", "398363", "T012167", "1727", "T004914" ] }, "release_date": "2019-07-09T22:00:00Z", "title": "CVE-2019-11713" }, { "cve": "CVE-2019-11714", "notes": [ { "category": "description", "text": "In Mozilla Firefox und Mozilla Firefox ESR existieren mehrere Schwachstellen. Ein Angreifer kann diese nutzen und einen Denial of Service Angriff durchf\u00fchren, Daten manipulieren, Sicherheitsmechanismen umgehen, vertrauliche Daten einsehen oder Code mit den Privilegien des Angegriffenen zur Ausf\u00fchrung bringen. Zur erfolgreichen Ausnutzung dieser Schwachstelle muss der Angreifer den Benutzer dazu bringen eine modifizierte URL oder Webseite in seinem Webbrowser zu \u00f6ffnen." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "T013312", "398363", "T012167", "1727", "T004914" ] }, "release_date": "2019-07-09T22:00:00Z", "title": "CVE-2019-11714" }, { "cve": "CVE-2019-11715", "notes": [ { "category": "description", "text": "In Mozilla Firefox und Mozilla Firefox ESR existieren mehrere Schwachstellen. Ein Angreifer kann diese nutzen und einen Denial of Service Angriff durchf\u00fchren, Daten manipulieren, Sicherheitsmechanismen umgehen, vertrauliche Daten einsehen oder Code mit den Privilegien des Angegriffenen zur Ausf\u00fchrung bringen. Zur erfolgreichen Ausnutzung dieser Schwachstelle muss der Angreifer den Benutzer dazu bringen eine modifizierte URL oder Webseite in seinem Webbrowser zu \u00f6ffnen." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "T013312", "398363", "T012167", "1727", "T004914" ] }, "release_date": "2019-07-09T22:00:00Z", "title": "CVE-2019-11715" }, { "cve": "CVE-2019-11716", "notes": [ { "category": "description", "text": "In Mozilla Firefox und Mozilla Firefox ESR existieren mehrere Schwachstellen. Ein Angreifer kann diese nutzen und einen Denial of Service Angriff durchf\u00fchren, Daten manipulieren, Sicherheitsmechanismen umgehen, vertrauliche Daten einsehen oder Code mit den Privilegien des Angegriffenen zur Ausf\u00fchrung bringen. Zur erfolgreichen Ausnutzung dieser Schwachstelle muss der Angreifer den Benutzer dazu bringen eine modifizierte URL oder Webseite in seinem Webbrowser zu \u00f6ffnen." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "T013312", "398363", "T012167", "1727", "T004914" ] }, "release_date": "2019-07-09T22:00:00Z", "title": "CVE-2019-11716" }, { "cve": "CVE-2019-11717", "notes": [ { "category": "description", "text": "In Mozilla Firefox und Mozilla Firefox ESR existieren mehrere Schwachstellen. Ein Angreifer kann diese nutzen und einen Denial of Service Angriff durchf\u00fchren, Daten manipulieren, Sicherheitsmechanismen umgehen, vertrauliche Daten einsehen oder Code mit den Privilegien des Angegriffenen zur Ausf\u00fchrung bringen. Zur erfolgreichen Ausnutzung dieser Schwachstelle muss der Angreifer den Benutzer dazu bringen eine modifizierte URL oder Webseite in seinem Webbrowser zu \u00f6ffnen." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "T013312", "398363", "T012167", "1727", "T004914" ] }, "release_date": "2019-07-09T22:00:00Z", "title": "CVE-2019-11717" }, { "cve": "CVE-2019-11718", "notes": [ { "category": "description", "text": "In Mozilla Firefox und Mozilla Firefox ESR existieren mehrere Schwachstellen. Ein Angreifer kann diese nutzen und einen Denial of Service Angriff durchf\u00fchren, Daten manipulieren, Sicherheitsmechanismen umgehen, vertrauliche Daten einsehen oder Code mit den Privilegien des Angegriffenen zur Ausf\u00fchrung bringen. Zur erfolgreichen Ausnutzung dieser Schwachstelle muss der Angreifer den Benutzer dazu bringen eine modifizierte URL oder Webseite in seinem Webbrowser zu \u00f6ffnen." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "T013312", "398363", "T012167", "1727", "T004914" ] }, "release_date": "2019-07-09T22:00:00Z", "title": "CVE-2019-11718" }, { "cve": "CVE-2019-11719", "notes": [ { "category": "description", "text": "In Mozilla Firefox und Mozilla Firefox ESR existieren mehrere Schwachstellen. Ein Angreifer kann diese nutzen und einen Denial of Service Angriff durchf\u00fchren, Daten manipulieren, Sicherheitsmechanismen umgehen, vertrauliche Daten einsehen oder Code mit den Privilegien des Angegriffenen zur Ausf\u00fchrung bringen. Zur erfolgreichen Ausnutzung dieser Schwachstelle muss der Angreifer den Benutzer dazu bringen eine modifizierte URL oder Webseite in seinem Webbrowser zu \u00f6ffnen." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "T013312", "398363", "T012167", "1727", "T004914" ] }, "release_date": "2019-07-09T22:00:00Z", "title": "CVE-2019-11719" }, { "cve": "CVE-2019-11720", "notes": [ { "category": "description", "text": "In Mozilla Firefox und Mozilla Firefox ESR existieren mehrere Schwachstellen. Ein Angreifer kann diese nutzen und einen Denial of Service Angriff durchf\u00fchren, Daten manipulieren, Sicherheitsmechanismen umgehen, vertrauliche Daten einsehen oder Code mit den Privilegien des Angegriffenen zur Ausf\u00fchrung bringen. Zur erfolgreichen Ausnutzung dieser Schwachstelle muss der Angreifer den Benutzer dazu bringen eine modifizierte URL oder Webseite in seinem Webbrowser zu \u00f6ffnen." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "T013312", "398363", "T012167", "1727", "T004914" ] }, "release_date": "2019-07-09T22:00:00Z", "title": "CVE-2019-11720" }, { "cve": "CVE-2019-11721", "notes": [ { "category": "description", "text": "In Mozilla Firefox und Mozilla Firefox ESR existieren mehrere Schwachstellen. Ein Angreifer kann diese nutzen und einen Denial of Service Angriff durchf\u00fchren, Daten manipulieren, Sicherheitsmechanismen umgehen, vertrauliche Daten einsehen oder Code mit den Privilegien des Angegriffenen zur Ausf\u00fchrung bringen. Zur erfolgreichen Ausnutzung dieser Schwachstelle muss der Angreifer den Benutzer dazu bringen eine modifizierte URL oder Webseite in seinem Webbrowser zu \u00f6ffnen." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "T013312", "398363", "T012167", "1727", "T004914" ] }, "release_date": "2019-07-09T22:00:00Z", "title": "CVE-2019-11721" }, { "cve": "CVE-2019-11723", "notes": [ { "category": "description", "text": "In Mozilla Firefox und Mozilla Firefox ESR existieren mehrere Schwachstellen. Ein Angreifer kann diese nutzen und einen Denial of Service Angriff durchf\u00fchren, Daten manipulieren, Sicherheitsmechanismen umgehen, vertrauliche Daten einsehen oder Code mit den Privilegien des Angegriffenen zur Ausf\u00fchrung bringen. Zur erfolgreichen Ausnutzung dieser Schwachstelle muss der Angreifer den Benutzer dazu bringen eine modifizierte URL oder Webseite in seinem Webbrowser zu \u00f6ffnen." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "T013312", "398363", "T012167", "1727", "T004914" ] }, "release_date": "2019-07-09T22:00:00Z", "title": "CVE-2019-11723" }, { "cve": "CVE-2019-11724", "notes": [ { "category": "description", "text": "In Mozilla Firefox und Mozilla Firefox ESR existieren mehrere Schwachstellen. Ein Angreifer kann diese nutzen und einen Denial of Service Angriff durchf\u00fchren, Daten manipulieren, Sicherheitsmechanismen umgehen, vertrauliche Daten einsehen oder Code mit den Privilegien des Angegriffenen zur Ausf\u00fchrung bringen. Zur erfolgreichen Ausnutzung dieser Schwachstelle muss der Angreifer den Benutzer dazu bringen eine modifizierte URL oder Webseite in seinem Webbrowser zu \u00f6ffnen." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "T013312", "398363", "T012167", "1727", "T004914" ] }, "release_date": "2019-07-09T22:00:00Z", "title": "CVE-2019-11724" }, { "cve": "CVE-2019-11725", "notes": [ { "category": "description", "text": "In Mozilla Firefox und Mozilla Firefox ESR existieren mehrere Schwachstellen. Ein Angreifer kann diese nutzen und einen Denial of Service Angriff durchf\u00fchren, Daten manipulieren, Sicherheitsmechanismen umgehen, vertrauliche Daten einsehen oder Code mit den Privilegien des Angegriffenen zur Ausf\u00fchrung bringen. Zur erfolgreichen Ausnutzung dieser Schwachstelle muss der Angreifer den Benutzer dazu bringen eine modifizierte URL oder Webseite in seinem Webbrowser zu \u00f6ffnen." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "T013312", "398363", "T012167", "1727", "T004914" ] }, "release_date": "2019-07-09T22:00:00Z", "title": "CVE-2019-11725" }, { "cve": "CVE-2019-11727", "notes": [ { "category": "description", "text": "In Mozilla Firefox und Mozilla Firefox ESR existieren mehrere Schwachstellen. Ein Angreifer kann diese nutzen und einen Denial of Service Angriff durchf\u00fchren, Daten manipulieren, Sicherheitsmechanismen umgehen, vertrauliche Daten einsehen oder Code mit den Privilegien des Angegriffenen zur Ausf\u00fchrung bringen. Zur erfolgreichen Ausnutzung dieser Schwachstelle muss der Angreifer den Benutzer dazu bringen eine modifizierte URL oder Webseite in seinem Webbrowser zu \u00f6ffnen." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "T013312", "398363", "T012167", "1727", "T004914" ] }, "release_date": "2019-07-09T22:00:00Z", "title": "CVE-2019-11727" }, { "cve": "CVE-2019-11728", "notes": [ { "category": "description", "text": "In Mozilla Firefox und Mozilla Firefox ESR existieren mehrere Schwachstellen. Ein Angreifer kann diese nutzen und einen Denial of Service Angriff durchf\u00fchren, Daten manipulieren, Sicherheitsmechanismen umgehen, vertrauliche Daten einsehen oder Code mit den Privilegien des Angegriffenen zur Ausf\u00fchrung bringen. Zur erfolgreichen Ausnutzung dieser Schwachstelle muss der Angreifer den Benutzer dazu bringen eine modifizierte URL oder Webseite in seinem Webbrowser zu \u00f6ffnen." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "T013312", "398363", "T012167", "1727", "T004914" ] }, "release_date": "2019-07-09T22:00:00Z", "title": "CVE-2019-11728" }, { "cve": "CVE-2019-11729", "notes": [ { "category": "description", "text": "In Mozilla Firefox und Mozilla Firefox ESR existieren mehrere Schwachstellen. Ein Angreifer kann diese nutzen und einen Denial of Service Angriff durchf\u00fchren, Daten manipulieren, Sicherheitsmechanismen umgehen, vertrauliche Daten einsehen oder Code mit den Privilegien des Angegriffenen zur Ausf\u00fchrung bringen. Zur erfolgreichen Ausnutzung dieser Schwachstelle muss der Angreifer den Benutzer dazu bringen eine modifizierte URL oder Webseite in seinem Webbrowser zu \u00f6ffnen." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "T013312", "398363", "T012167", "1727", "T004914" ] }, "release_date": "2019-07-09T22:00:00Z", "title": "CVE-2019-11729" }, { "cve": "CVE-2019-11730", "notes": [ { "category": "description", "text": "In Mozilla Firefox und Mozilla Firefox ESR existieren mehrere Schwachstellen. Ein Angreifer kann diese nutzen und einen Denial of Service Angriff durchf\u00fchren, Daten manipulieren, Sicherheitsmechanismen umgehen, vertrauliche Daten einsehen oder Code mit den Privilegien des Angegriffenen zur Ausf\u00fchrung bringen. Zur erfolgreichen Ausnutzung dieser Schwachstelle muss der Angreifer den Benutzer dazu bringen eine modifizierte URL oder Webseite in seinem Webbrowser zu \u00f6ffnen." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "T013312", "398363", "T012167", "1727", "T004914" ] }, "release_date": "2019-07-09T22:00:00Z", "title": "CVE-2019-11730" }, { "cve": "CVE-2019-9811", "notes": [ { "category": "description", "text": "In Mozilla Firefox und Mozilla Firefox ESR existieren mehrere Schwachstellen. Ein Angreifer kann diese nutzen und einen Denial of Service Angriff durchf\u00fchren, Daten manipulieren, Sicherheitsmechanismen umgehen, vertrauliche Daten einsehen oder Code mit den Privilegien des Angegriffenen zur Ausf\u00fchrung bringen. Zur erfolgreichen Ausnutzung dieser Schwachstelle muss der Angreifer den Benutzer dazu bringen eine modifizierte URL oder Webseite in seinem Webbrowser zu \u00f6ffnen." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "T013312", "398363", "T012167", "1727", "T004914" ] }, "release_date": "2019-07-09T22:00:00Z", "title": "CVE-2019-9811" } ] }
cve-2019-11717
Vulnerability from cvelistv5
Published
2019-07-23 13:18
Modified
2024-08-04 23:03
Severity ?
EPSS score ?
Summary
A vulnerability exists where the caret ("^") character is improperly escaped constructing some URIs due to it being used as a separator, allowing for possible spoofing of origin attributes. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.
References
Impacted products
▼ | Vendor | Product |
---|---|---|
Mozilla | Firefox ESR | |
Mozilla | Firefox | |
Mozilla | Thunderbird |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T23:03:32.386Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.mozilla.org/security/advisories/mfsa2019-21/" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.mozilla.org/security/advisories/mfsa2019-22/" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.mozilla.org/security/advisories/mfsa2019-23/" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1548306" }, { "name": "openSUSE-SU-2019:1811", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html" }, { "name": "openSUSE-SU-2019:1813", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.html" }, { "name": "[debian-lts-announce] 20190802 [SECURITY] [DLA 1869-1] firefox-esr security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00001.html" }, { "name": "[debian-lts-announce] 20190802 [SECURITY] [DLA 1870-1] thunderbird security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00002.html" }, { "name": "GLSA-201908-12", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/201908-12" }, { "name": "GLSA-201908-20", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/201908-20" }, { "name": "openSUSE-SU-2019:1990", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00073.html" }, { "name": "openSUSE-SU-2019:2248", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html" }, { "name": "openSUSE-SU-2019:2249", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Firefox ESR", "vendor": "Mozilla", "versions": [ { "lessThan": "60.8", "status": "affected", "version": "unspecified", "versionType": "custom" } ] }, { "product": "Firefox", "vendor": "Mozilla", "versions": [ { "lessThan": "68", "status": "affected", "version": "unspecified", "versionType": "custom" } ] }, { "product": "Thunderbird", "vendor": "Mozilla", "versions": [ { "lessThan": "60.8", "status": "affected", "version": "unspecified", "versionType": "custom" } ] } ], "descriptions": [ { "lang": "en", "value": "A vulnerability exists where the caret (\"^\") character is improperly escaped constructing some URIs due to it being used as a separator, allowing for possible spoofing of origin attributes. This vulnerability affects Firefox ESR \u003c 60.8, Firefox \u003c 68, and Thunderbird \u003c 60.8." } ], "problemTypes": [ { "descriptions": [ { "description": "Caret character improperly escaped in origins", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2019-10-04T17:06:46", "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://www.mozilla.org/security/advisories/mfsa2019-21/" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.mozilla.org/security/advisories/mfsa2019-22/" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.mozilla.org/security/advisories/mfsa2019-23/" }, { "tags": [ "x_refsource_MISC" ], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1548306" }, { "name": "openSUSE-SU-2019:1811", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html" }, { "name": "openSUSE-SU-2019:1813", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.html" }, { "name": "[debian-lts-announce] 20190802 [SECURITY] [DLA 1869-1] firefox-esr security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00001.html" }, { "name": "[debian-lts-announce] 20190802 [SECURITY] [DLA 1870-1] thunderbird security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00002.html" }, { "name": "GLSA-201908-12", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/201908-12" }, { "name": "GLSA-201908-20", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/201908-20" }, { "name": "openSUSE-SU-2019:1990", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00073.html" }, { "name": "openSUSE-SU-2019:2248", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html" }, { "name": "openSUSE-SU-2019:2249", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@mozilla.org", "ID": "CVE-2019-11717", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Firefox ESR", "version": { "version_data": [ { "version_affected": "\u003c", "version_value": "60.8" } ] } }, { "product_name": "Firefox", "version": { "version_data": [ { "version_affected": "\u003c", "version_value": "68" } ] } }, { "product_name": "Thunderbird", "version": { "version_data": [ { "version_affected": "\u003c", "version_value": "60.8" } ] } } ] }, "vendor_name": "Mozilla" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "A vulnerability exists where the caret (\"^\") character is improperly escaped constructing some URIs due to it being used as a separator, allowing for possible spoofing of origin attributes. This vulnerability affects Firefox ESR \u003c 60.8, Firefox \u003c 68, and Thunderbird \u003c 60.8." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Caret character improperly escaped in origins" } ] } ] }, "references": { "reference_data": [ { "name": "https://www.mozilla.org/security/advisories/mfsa2019-21/", "refsource": "MISC", "url": "https://www.mozilla.org/security/advisories/mfsa2019-21/" }, { "name": "https://www.mozilla.org/security/advisories/mfsa2019-22/", "refsource": "MISC", "url": "https://www.mozilla.org/security/advisories/mfsa2019-22/" }, { "name": "https://www.mozilla.org/security/advisories/mfsa2019-23/", "refsource": "MISC", "url": "https://www.mozilla.org/security/advisories/mfsa2019-23/" }, { "name": "https://bugzilla.mozilla.org/show_bug.cgi?id=1548306", "refsource": "MISC", "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1548306" }, { "name": "openSUSE-SU-2019:1811", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html" }, { "name": "openSUSE-SU-2019:1813", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.html" }, { "name": "[debian-lts-announce] 20190802 [SECURITY] [DLA 1869-1] firefox-esr security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00001.html" }, { "name": "[debian-lts-announce] 20190802 [SECURITY] [DLA 1870-1] thunderbird security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00002.html" }, { "name": "GLSA-201908-12", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201908-12" }, { "name": "GLSA-201908-20", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201908-20" }, { "name": "openSUSE-SU-2019:1990", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00073.html" }, { "name": "openSUSE-SU-2019:2248", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html" }, { "name": "openSUSE-SU-2019:2249", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html" } ] } } } }, "cveMetadata": { "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "assignerShortName": "mozilla", "cveId": "CVE-2019-11717", "datePublished": "2019-07-23T13:18:07", "dateReserved": "2019-05-03T00:00:00", "dateUpdated": "2024-08-04T23:03:32.386Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2019-11711
Vulnerability from cvelistv5
Published
2019-07-23 13:19
Modified
2024-08-04 23:03
Severity ?
EPSS score ?
Summary
When an inner window is reused, it does not consider the use of document.domain for cross-origin protections. If pages on different subdomains ever cooperatively use document.domain, then either page can abuse this to inject script into arbitrary pages on the other subdomain, even those that did not use document.domain to relax their origin security. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.
References
Impacted products
▼ | Vendor | Product |
---|---|---|
Mozilla | Firefox ESR | |
Mozilla | Firefox | |
Mozilla | Thunderbird |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T23:03:32.432Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.mozilla.org/security/advisories/mfsa2019-21/" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.mozilla.org/security/advisories/mfsa2019-22/" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.mozilla.org/security/advisories/mfsa2019-23/" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1552541" }, { "name": "openSUSE-SU-2019:1811", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html" }, { "name": "openSUSE-SU-2019:1813", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.html" }, { "name": "[debian-lts-announce] 20190802 [SECURITY] [DLA 1869-1] firefox-esr security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00001.html" }, { "name": "[debian-lts-announce] 20190802 [SECURITY] [DLA 1870-1] thunderbird security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00002.html" }, { "name": "GLSA-201908-12", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/201908-12" }, { "name": "GLSA-201908-20", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/201908-20" }, { "name": "openSUSE-SU-2019:1990", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00073.html" }, { "name": "openSUSE-SU-2019:2248", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html" }, { "name": "openSUSE-SU-2019:2249", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Firefox ESR", "vendor": "Mozilla", "versions": [ { "lessThan": "60.8", "status": "affected", "version": "unspecified", "versionType": "custom" } ] }, { "product": "Firefox", "vendor": "Mozilla", "versions": [ { "lessThan": "68", "status": "affected", "version": "unspecified", "versionType": "custom" } ] }, { "product": "Thunderbird", "vendor": "Mozilla", "versions": [ { "lessThan": "60.8", "status": "affected", "version": "unspecified", "versionType": "custom" } ] } ], "descriptions": [ { "lang": "en", "value": "When an inner window is reused, it does not consider the use of document.domain for cross-origin protections. If pages on different subdomains ever cooperatively use document.domain, then either page can abuse this to inject script into arbitrary pages on the other subdomain, even those that did not use document.domain to relax their origin security. This vulnerability affects Firefox ESR \u003c 60.8, Firefox \u003c 68, and Thunderbird \u003c 60.8." } ], "problemTypes": [ { "descriptions": [ { "description": "Script injection within domain through inner window reuse", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2019-10-04T17:06:53", "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://www.mozilla.org/security/advisories/mfsa2019-21/" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.mozilla.org/security/advisories/mfsa2019-22/" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.mozilla.org/security/advisories/mfsa2019-23/" }, { "tags": [ "x_refsource_MISC" ], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1552541" }, { "name": "openSUSE-SU-2019:1811", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html" }, { "name": "openSUSE-SU-2019:1813", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.html" }, { "name": "[debian-lts-announce] 20190802 [SECURITY] [DLA 1869-1] firefox-esr security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00001.html" }, { "name": "[debian-lts-announce] 20190802 [SECURITY] [DLA 1870-1] thunderbird security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00002.html" }, { "name": "GLSA-201908-12", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/201908-12" }, { "name": "GLSA-201908-20", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/201908-20" }, { "name": "openSUSE-SU-2019:1990", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00073.html" }, { "name": "openSUSE-SU-2019:2248", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html" }, { "name": "openSUSE-SU-2019:2249", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@mozilla.org", "ID": "CVE-2019-11711", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Firefox ESR", "version": { "version_data": [ { "version_affected": "\u003c", "version_value": "60.8" } ] } }, { "product_name": "Firefox", "version": { "version_data": [ { "version_affected": "\u003c", "version_value": "68" } ] } }, { "product_name": "Thunderbird", "version": { "version_data": [ { "version_affected": "\u003c", "version_value": "60.8" } ] } } ] }, "vendor_name": "Mozilla" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "When an inner window is reused, it does not consider the use of document.domain for cross-origin protections. If pages on different subdomains ever cooperatively use document.domain, then either page can abuse this to inject script into arbitrary pages on the other subdomain, even those that did not use document.domain to relax their origin security. This vulnerability affects Firefox ESR \u003c 60.8, Firefox \u003c 68, and Thunderbird \u003c 60.8." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Script injection within domain through inner window reuse" } ] } ] }, "references": { "reference_data": [ { "name": "https://www.mozilla.org/security/advisories/mfsa2019-21/", "refsource": "MISC", "url": "https://www.mozilla.org/security/advisories/mfsa2019-21/" }, { "name": "https://www.mozilla.org/security/advisories/mfsa2019-22/", "refsource": "MISC", "url": "https://www.mozilla.org/security/advisories/mfsa2019-22/" }, { "name": "https://www.mozilla.org/security/advisories/mfsa2019-23/", "refsource": "MISC", "url": "https://www.mozilla.org/security/advisories/mfsa2019-23/" }, { "name": "https://bugzilla.mozilla.org/show_bug.cgi?id=1552541", "refsource": "MISC", "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1552541" }, { "name": "openSUSE-SU-2019:1811", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html" }, { "name": "openSUSE-SU-2019:1813", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.html" }, { "name": "[debian-lts-announce] 20190802 [SECURITY] [DLA 1869-1] firefox-esr security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00001.html" }, { "name": "[debian-lts-announce] 20190802 [SECURITY] [DLA 1870-1] thunderbird security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00002.html" }, { "name": "GLSA-201908-12", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201908-12" }, { "name": "GLSA-201908-20", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201908-20" }, { "name": "openSUSE-SU-2019:1990", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00073.html" }, { "name": "openSUSE-SU-2019:2248", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html" }, { "name": "openSUSE-SU-2019:2249", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html" } ] } } } }, "cveMetadata": { "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "assignerShortName": "mozilla", "cveId": "CVE-2019-11711", "datePublished": "2019-07-23T13:19:10", "dateReserved": "2019-05-03T00:00:00", "dateUpdated": "2024-08-04T23:03:32.432Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2019-11714
Vulnerability from cvelistv5
Published
2019-07-23 13:18
Modified
2024-08-04 23:03
Severity ?
EPSS score ?
Summary
Necko can access a child on the wrong thread during UDP connections, resulting in a potentially exploitable crash in some instances. This vulnerability affects Firefox < 68.
References
▼ | URL | Tags |
---|---|---|
https://www.mozilla.org/security/advisories/mfsa2019-21/ | x_refsource_MISC | |
https://bugzilla.mozilla.org/show_bug.cgi?id=1542593 | x_refsource_MISC | |
https://security.gentoo.org/glsa/201908-12 | vendor-advisory, x_refsource_GENTOO | |
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html | vendor-advisory, x_refsource_SUSE | |
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html | vendor-advisory, x_refsource_SUSE | |
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html | vendor-advisory, x_refsource_SUSE | |
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html | vendor-advisory, x_refsource_SUSE |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T23:03:32.500Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.mozilla.org/security/advisories/mfsa2019-21/" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1542593" }, { "name": "GLSA-201908-12", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/201908-12" }, { "name": "openSUSE-SU-2019:2248", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html" }, { "name": "openSUSE-SU-2019:2249", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html" }, { "name": "openSUSE-SU-2019:2251", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html" }, { "name": "openSUSE-SU-2019:2260", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Firefox", "vendor": "Mozilla", "versions": [ { "lessThan": "68", "status": "affected", "version": "unspecified", "versionType": "custom" } ] } ], "descriptions": [ { "lang": "en", "value": "Necko can access a child on the wrong thread during UDP connections, resulting in a potentially exploitable crash in some instances. This vulnerability affects Firefox \u003c 68." } ], "problemTypes": [ { "descriptions": [ { "description": "NeckoChild can trigger crash when accessed off of main thread", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2019-10-06T14:06:17", "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://www.mozilla.org/security/advisories/mfsa2019-21/" }, { "tags": [ "x_refsource_MISC" ], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1542593" }, { "name": "GLSA-201908-12", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/201908-12" }, { "name": "openSUSE-SU-2019:2248", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html" }, { "name": "openSUSE-SU-2019:2249", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html" }, { "name": "openSUSE-SU-2019:2251", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html" }, { "name": "openSUSE-SU-2019:2260", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@mozilla.org", "ID": "CVE-2019-11714", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Firefox", "version": { "version_data": [ { "version_affected": "\u003c", "version_value": "68" } ] } } ] }, "vendor_name": "Mozilla" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Necko can access a child on the wrong thread during UDP connections, resulting in a potentially exploitable crash in some instances. This vulnerability affects Firefox \u003c 68." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "NeckoChild can trigger crash when accessed off of main thread" } ] } ] }, "references": { "reference_data": [ { "name": "https://www.mozilla.org/security/advisories/mfsa2019-21/", "refsource": "MISC", "url": "https://www.mozilla.org/security/advisories/mfsa2019-21/" }, { "name": "https://bugzilla.mozilla.org/show_bug.cgi?id=1542593", "refsource": "MISC", "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1542593" }, { "name": "GLSA-201908-12", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201908-12" }, { "name": "openSUSE-SU-2019:2248", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html" }, { "name": "openSUSE-SU-2019:2249", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html" }, { "name": "openSUSE-SU-2019:2251", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html" }, { "name": "openSUSE-SU-2019:2260", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html" } ] } } } }, "cveMetadata": { "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "assignerShortName": "mozilla", "cveId": "CVE-2019-11714", "datePublished": "2019-07-23T13:18:42", "dateReserved": "2019-05-03T00:00:00", "dateUpdated": "2024-08-04T23:03:32.500Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2019-11712
Vulnerability from cvelistv5
Published
2019-07-23 13:19
Modified
2024-08-04 23:03
Severity ?
EPSS score ?
Summary
POST requests made by NPAPI plugins, such as Flash, that receive a status 308 redirect response can bypass CORS requirements. This can allow an attacker to perform Cross-Site Request Forgery (CSRF) attacks. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.
References
Impacted products
▼ | Vendor | Product |
---|---|---|
Mozilla | Firefox ESR | |
Mozilla | Firefox | |
Mozilla | Thunderbird |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T23:03:32.410Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.mozilla.org/security/advisories/mfsa2019-21/" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.mozilla.org/security/advisories/mfsa2019-22/" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.mozilla.org/security/advisories/mfsa2019-23/" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1543804" }, { "name": "openSUSE-SU-2019:1811", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html" }, { "name": "openSUSE-SU-2019:1813", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.html" }, { "name": "[debian-lts-announce] 20190802 [SECURITY] [DLA 1869-1] firefox-esr security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00001.html" }, { "name": "[debian-lts-announce] 20190802 [SECURITY] [DLA 1870-1] thunderbird security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00002.html" }, { "name": "GLSA-201908-12", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/201908-12" }, { "name": "GLSA-201908-20", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/201908-20" }, { "name": "openSUSE-SU-2019:1990", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00073.html" }, { "name": "openSUSE-SU-2019:2248", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html" }, { "name": "openSUSE-SU-2019:2249", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Firefox ESR", "vendor": "Mozilla", "versions": [ { "lessThan": "60.8", "status": "affected", "version": "unspecified", "versionType": "custom" } ] }, { "product": "Firefox", "vendor": "Mozilla", "versions": [ { "lessThan": "68", "status": "affected", "version": "unspecified", "versionType": "custom" } ] }, { "product": "Thunderbird", "vendor": "Mozilla", "versions": [ { "lessThan": "60.8", "status": "affected", "version": "unspecified", "versionType": "custom" } ] } ], "descriptions": [ { "lang": "en", "value": "POST requests made by NPAPI plugins, such as Flash, that receive a status 308 redirect response can bypass CORS requirements. This can allow an attacker to perform Cross-Site Request Forgery (CSRF) attacks. This vulnerability affects Firefox ESR \u003c 60.8, Firefox \u003c 68, and Thunderbird \u003c 60.8." } ], "problemTypes": [ { "descriptions": [ { "description": "Cross-origin POST requests can be made with NPAPI plugins by following 308 redirects", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2019-10-04T17:06:38", "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://www.mozilla.org/security/advisories/mfsa2019-21/" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.mozilla.org/security/advisories/mfsa2019-22/" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.mozilla.org/security/advisories/mfsa2019-23/" }, { "tags": [ "x_refsource_MISC" ], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1543804" }, { "name": "openSUSE-SU-2019:1811", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html" }, { "name": "openSUSE-SU-2019:1813", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.html" }, { "name": "[debian-lts-announce] 20190802 [SECURITY] [DLA 1869-1] firefox-esr security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00001.html" }, { "name": "[debian-lts-announce] 20190802 [SECURITY] [DLA 1870-1] thunderbird security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00002.html" }, { "name": "GLSA-201908-12", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/201908-12" }, { "name": "GLSA-201908-20", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/201908-20" }, { "name": "openSUSE-SU-2019:1990", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00073.html" }, { "name": "openSUSE-SU-2019:2248", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html" }, { "name": "openSUSE-SU-2019:2249", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@mozilla.org", "ID": "CVE-2019-11712", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Firefox ESR", "version": { "version_data": [ { "version_affected": "\u003c", "version_value": "60.8" } ] } }, { "product_name": "Firefox", "version": { "version_data": [ { "version_affected": "\u003c", "version_value": "68" } ] } }, { "product_name": "Thunderbird", "version": { "version_data": [ { "version_affected": "\u003c", "version_value": "60.8" } ] } } ] }, "vendor_name": "Mozilla" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "POST requests made by NPAPI plugins, such as Flash, that receive a status 308 redirect response can bypass CORS requirements. This can allow an attacker to perform Cross-Site Request Forgery (CSRF) attacks. This vulnerability affects Firefox ESR \u003c 60.8, Firefox \u003c 68, and Thunderbird \u003c 60.8." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Cross-origin POST requests can be made with NPAPI plugins by following 308 redirects" } ] } ] }, "references": { "reference_data": [ { "name": "https://www.mozilla.org/security/advisories/mfsa2019-21/", "refsource": "MISC", "url": "https://www.mozilla.org/security/advisories/mfsa2019-21/" }, { "name": "https://www.mozilla.org/security/advisories/mfsa2019-22/", "refsource": "MISC", "url": "https://www.mozilla.org/security/advisories/mfsa2019-22/" }, { "name": "https://www.mozilla.org/security/advisories/mfsa2019-23/", "refsource": "MISC", "url": "https://www.mozilla.org/security/advisories/mfsa2019-23/" }, { "name": "https://bugzilla.mozilla.org/show_bug.cgi?id=1543804", "refsource": "MISC", "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1543804" }, { "name": "openSUSE-SU-2019:1811", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html" }, { "name": "openSUSE-SU-2019:1813", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.html" }, { "name": "[debian-lts-announce] 20190802 [SECURITY] [DLA 1869-1] firefox-esr security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00001.html" }, { "name": "[debian-lts-announce] 20190802 [SECURITY] [DLA 1870-1] thunderbird security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00002.html" }, { "name": "GLSA-201908-12", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201908-12" }, { "name": "GLSA-201908-20", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201908-20" }, { "name": "openSUSE-SU-2019:1990", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00073.html" }, { "name": "openSUSE-SU-2019:2248", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html" }, { "name": "openSUSE-SU-2019:2249", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html" } ] } } } }, "cveMetadata": { "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "assignerShortName": "mozilla", "cveId": "CVE-2019-11712", "datePublished": "2019-07-23T13:19:00", "dateReserved": "2019-05-03T00:00:00", "dateUpdated": "2024-08-04T23:03:32.410Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2019-11729
Vulnerability from cvelistv5
Published
2019-07-23 13:16
Modified
2024-08-04 23:03
Severity ?
EPSS score ?
Summary
Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.
References
Impacted products
▼ | Vendor | Product |
---|---|---|
Mozilla | Firefox ESR | |
Mozilla | Firefox | |
Mozilla | Thunderbird |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T23:03:32.670Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.mozilla.org/security/advisories/mfsa2019-21/" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.mozilla.org/security/advisories/mfsa2019-22/" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.mozilla.org/security/advisories/mfsa2019-23/" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1515342" }, { "name": "openSUSE-SU-2019:1811", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html" }, { "name": "openSUSE-SU-2019:1813", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.html" }, { "name": "RHSA-2019:1951", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2019:1951" }, { "name": "GLSA-201908-12", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/201908-12" }, { "name": "GLSA-201908-20", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/201908-20" }, { "name": "openSUSE-SU-2019:1990", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00073.html" }, { "name": "openSUSE-SU-2019:2248", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html" }, { "name": "openSUSE-SU-2019:2249", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html" }, { "name": "RHSA-2019:4190", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2019:4190" }, { "name": "[debian-lts-announce] 20200929 [SECURITY] [DLA 2388-1] nss security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00029.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Firefox ESR", "vendor": "Mozilla", "versions": [ { "lessThan": "60.8", "status": "affected", "version": "unspecified", "versionType": "custom" } ] }, { "product": "Firefox", "vendor": "Mozilla", "versions": [ { "lessThan": "68", "status": "affected", "version": "unspecified", "versionType": "custom" } ] }, { "product": "Thunderbird", "vendor": "Mozilla", "versions": [ { "lessThan": "60.8", "status": "affected", "version": "unspecified", "versionType": "custom" } ] } ], "descriptions": [ { "lang": "en", "value": "Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used. This vulnerability affects Firefox ESR \u003c 60.8, Firefox \u003c 68, and Thunderbird \u003c 60.8." } ], "problemTypes": [ { "descriptions": [ { "description": "Empty or malformed p256-ECDH public keys may trigger a segmentation fault", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2020-09-29T21:06:19", "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://www.mozilla.org/security/advisories/mfsa2019-21/" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.mozilla.org/security/advisories/mfsa2019-22/" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.mozilla.org/security/advisories/mfsa2019-23/" }, { "tags": [ "x_refsource_MISC" ], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1515342" }, { "name": "openSUSE-SU-2019:1811", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html" }, { "name": "openSUSE-SU-2019:1813", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.html" }, { "name": "RHSA-2019:1951", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2019:1951" }, { "name": "GLSA-201908-12", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/201908-12" }, { "name": "GLSA-201908-20", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/201908-20" }, { "name": "openSUSE-SU-2019:1990", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00073.html" }, { "name": "openSUSE-SU-2019:2248", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html" }, { "name": "openSUSE-SU-2019:2249", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html" }, { "name": "RHSA-2019:4190", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2019:4190" }, { "name": "[debian-lts-announce] 20200929 [SECURITY] [DLA 2388-1] nss security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00029.html" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@mozilla.org", "ID": "CVE-2019-11729", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Firefox ESR", "version": { "version_data": [ { "version_affected": "\u003c", "version_value": "60.8" } ] } }, { "product_name": "Firefox", "version": { "version_data": [ { "version_affected": "\u003c", "version_value": "68" } ] } }, { "product_name": "Thunderbird", "version": { "version_data": [ { "version_affected": "\u003c", "version_value": "60.8" } ] } } ] }, "vendor_name": "Mozilla" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used. This vulnerability affects Firefox ESR \u003c 60.8, Firefox \u003c 68, and Thunderbird \u003c 60.8." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Empty or malformed p256-ECDH public keys may trigger a segmentation fault" } ] } ] }, "references": { "reference_data": [ { "name": "https://www.mozilla.org/security/advisories/mfsa2019-21/", "refsource": "MISC", "url": "https://www.mozilla.org/security/advisories/mfsa2019-21/" }, { "name": "https://www.mozilla.org/security/advisories/mfsa2019-22/", "refsource": "MISC", "url": "https://www.mozilla.org/security/advisories/mfsa2019-22/" }, { "name": "https://www.mozilla.org/security/advisories/mfsa2019-23/", "refsource": "MISC", "url": "https://www.mozilla.org/security/advisories/mfsa2019-23/" }, { "name": "https://bugzilla.mozilla.org/show_bug.cgi?id=1515342", "refsource": "MISC", "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1515342" }, { "name": "openSUSE-SU-2019:1811", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html" }, { "name": "openSUSE-SU-2019:1813", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.html" }, { "name": "RHSA-2019:1951", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2019:1951" }, { "name": "GLSA-201908-12", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201908-12" }, { "name": "GLSA-201908-20", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201908-20" }, { "name": "openSUSE-SU-2019:1990", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00073.html" }, { "name": "openSUSE-SU-2019:2248", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html" }, { "name": "openSUSE-SU-2019:2249", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html" }, { "name": "RHSA-2019:4190", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2019:4190" }, { "name": "[debian-lts-announce] 20200929 [SECURITY] [DLA 2388-1] nss security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00029.html" } ] } } } }, "cveMetadata": { "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "assignerShortName": "mozilla", "cveId": "CVE-2019-11729", "datePublished": "2019-07-23T13:16:24", "dateReserved": "2019-05-03T00:00:00", "dateUpdated": "2024-08-04T23:03:32.670Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2019-11719
Vulnerability from cvelistv5
Published
2019-07-23 13:17
Modified
2024-08-04 23:03
Severity ?
EPSS score ?
Summary
When importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger an out-of-bounds read in the Network Security Services (NSS) library. This could lead to information disclosure. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.
References
Impacted products
▼ | Vendor | Product |
---|---|---|
Mozilla | Firefox ESR | |
Mozilla | Firefox | |
Mozilla | Thunderbird |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T23:03:32.425Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.mozilla.org/security/advisories/mfsa2019-21/" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.mozilla.org/security/advisories/mfsa2019-22/" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.mozilla.org/security/advisories/mfsa2019-23/" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1540541" }, { "name": "openSUSE-SU-2019:1811", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html" }, { "name": "openSUSE-SU-2019:1813", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.html" }, { "name": "RHSA-2019:1951", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2019:1951" }, { "name": "GLSA-201908-12", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/201908-12" }, { "name": "GLSA-201908-20", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/201908-20" }, { "name": "openSUSE-SU-2019:1990", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00073.html" }, { "name": "openSUSE-SU-2019:2248", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html" }, { "name": "openSUSE-SU-2019:2249", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html" }, { "name": "[debian-lts-announce] 20200929 [SECURITY] [DLA 2388-1] nss security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00029.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Firefox ESR", "vendor": "Mozilla", "versions": [ { "lessThan": "60.8", "status": "affected", "version": "unspecified", "versionType": "custom" } ] }, { "product": "Firefox", "vendor": "Mozilla", "versions": [ { "lessThan": "68", "status": "affected", "version": "unspecified", "versionType": "custom" } ] }, { "product": "Thunderbird", "vendor": "Mozilla", "versions": [ { "lessThan": "60.8", "status": "affected", "version": "unspecified", "versionType": "custom" } ] } ], "descriptions": [ { "lang": "en", "value": "When importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger an out-of-bounds read in the Network Security Services (NSS) library. This could lead to information disclosure. This vulnerability affects Firefox ESR \u003c 60.8, Firefox \u003c 68, and Thunderbird \u003c 60.8." } ], "problemTypes": [ { "descriptions": [ { "description": "Out-of-bounds read when importing curve25519 private key", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2020-09-29T21:06:21", "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://www.mozilla.org/security/advisories/mfsa2019-21/" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.mozilla.org/security/advisories/mfsa2019-22/" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.mozilla.org/security/advisories/mfsa2019-23/" }, { "tags": [ "x_refsource_MISC" ], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1540541" }, { "name": "openSUSE-SU-2019:1811", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html" }, { "name": "openSUSE-SU-2019:1813", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.html" }, { "name": "RHSA-2019:1951", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2019:1951" }, { "name": "GLSA-201908-12", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/201908-12" }, { "name": "GLSA-201908-20", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/201908-20" }, { "name": "openSUSE-SU-2019:1990", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00073.html" }, { "name": "openSUSE-SU-2019:2248", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html" }, { "name": "openSUSE-SU-2019:2249", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html" }, { "name": "[debian-lts-announce] 20200929 [SECURITY] [DLA 2388-1] nss security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00029.html" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@mozilla.org", "ID": "CVE-2019-11719", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Firefox ESR", "version": { "version_data": [ { "version_affected": "\u003c", "version_value": "60.8" } ] } }, { "product_name": "Firefox", "version": { "version_data": [ { "version_affected": "\u003c", "version_value": "68" } ] } }, { "product_name": "Thunderbird", "version": { "version_data": [ { "version_affected": "\u003c", "version_value": "60.8" } ] } } ] }, "vendor_name": "Mozilla" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "When importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger an out-of-bounds read in the Network Security Services (NSS) library. This could lead to information disclosure. This vulnerability affects Firefox ESR \u003c 60.8, Firefox \u003c 68, and Thunderbird \u003c 60.8." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Out-of-bounds read when importing curve25519 private key" } ] } ] }, "references": { "reference_data": [ { "name": "https://www.mozilla.org/security/advisories/mfsa2019-21/", "refsource": "MISC", "url": "https://www.mozilla.org/security/advisories/mfsa2019-21/" }, { "name": "https://www.mozilla.org/security/advisories/mfsa2019-22/", "refsource": "MISC", "url": "https://www.mozilla.org/security/advisories/mfsa2019-22/" }, { "name": "https://www.mozilla.org/security/advisories/mfsa2019-23/", "refsource": "MISC", "url": "https://www.mozilla.org/security/advisories/mfsa2019-23/" }, { "name": "https://bugzilla.mozilla.org/show_bug.cgi?id=1540541", "refsource": "MISC", "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1540541" }, { "name": "openSUSE-SU-2019:1811", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html" }, { "name": "openSUSE-SU-2019:1813", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.html" }, { "name": "RHSA-2019:1951", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2019:1951" }, { "name": "GLSA-201908-12", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201908-12" }, { "name": "GLSA-201908-20", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201908-20" }, { "name": "openSUSE-SU-2019:1990", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00073.html" }, { "name": "openSUSE-SU-2019:2248", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html" }, { "name": "openSUSE-SU-2019:2249", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html" }, { "name": "[debian-lts-announce] 20200929 [SECURITY] [DLA 2388-1] nss security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00029.html" } ] } } } }, "cveMetadata": { "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "assignerShortName": "mozilla", "cveId": "CVE-2019-11719", "datePublished": "2019-07-23T13:17:46", "dateReserved": "2019-05-03T00:00:00", "dateUpdated": "2024-08-04T23:03:32.425Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2019-11730
Vulnerability from cvelistv5
Published
2019-07-23 13:16
Modified
2024-08-04 23:03
Severity ?
EPSS score ?
Summary
A vulnerability exists where if a user opens a locally saved HTML file, this file can use file: URIs to access other files in the same directory or sub-directories if the names are known or guessed. The Fetch API can then be used to read the contents of any files stored in these directories and they may uploaded to a server. It was demonstrated that in combination with a popular Android messaging app, if a malicious HTML attachment is sent to a user and they opened that attachment in Firefox, due to that app's predictable pattern for locally-saved file names, it is possible to read attachments the victim received from other correspondents. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.
References
Impacted products
▼ | Vendor | Product |
---|---|---|
Mozilla | Firefox ESR | |
Mozilla | Firefox | |
Mozilla | Thunderbird |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T23:03:32.603Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.mozilla.org/security/advisories/mfsa2019-21/" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.mozilla.org/security/advisories/mfsa2019-22/" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.mozilla.org/security/advisories/mfsa2019-23/" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1558299" }, { "name": "openSUSE-SU-2019:1811", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html" }, { "name": "openSUSE-SU-2019:1813", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.html" }, { "name": "[debian-lts-announce] 20190802 [SECURITY] [DLA 1869-1] firefox-esr security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00001.html" }, { "name": "[debian-lts-announce] 20190802 [SECURITY] [DLA 1870-1] thunderbird security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00002.html" }, { "name": "GLSA-201908-12", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/201908-12" }, { "name": "GLSA-201908-20", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/201908-20" }, { "name": "openSUSE-SU-2019:1990", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00073.html" }, { "name": "openSUSE-SU-2019:2248", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html" }, { "name": "openSUSE-SU-2019:2249", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Firefox ESR", "vendor": "Mozilla", "versions": [ { "lessThan": "60.8", "status": "affected", "version": "unspecified", "versionType": "custom" } ] }, { "product": "Firefox", "vendor": "Mozilla", "versions": [ { "lessThan": "68", "status": "affected", "version": "unspecified", "versionType": "custom" } ] }, { "product": "Thunderbird", "vendor": "Mozilla", "versions": [ { "lessThan": "60.8", "status": "affected", "version": "unspecified", "versionType": "custom" } ] } ], "descriptions": [ { "lang": "en", "value": "A vulnerability exists where if a user opens a locally saved HTML file, this file can use file: URIs to access other files in the same directory or sub-directories if the names are known or guessed. The Fetch API can then be used to read the contents of any files stored in these directories and they may uploaded to a server. It was demonstrated that in combination with a popular Android messaging app, if a malicious HTML attachment is sent to a user and they opened that attachment in Firefox, due to that app\u0027s predictable pattern for locally-saved file names, it is possible to read attachments the victim received from other correspondents. This vulnerability affects Firefox ESR \u003c 60.8, Firefox \u003c 68, and Thunderbird \u003c 60.8." } ], "problemTypes": [ { "descriptions": [ { "description": "Same-origin policy treats all files in a directory as having the same-origin", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2019-10-04T17:06:37", "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://www.mozilla.org/security/advisories/mfsa2019-21/" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.mozilla.org/security/advisories/mfsa2019-22/" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.mozilla.org/security/advisories/mfsa2019-23/" }, { "tags": [ "x_refsource_MISC" ], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1558299" }, { "name": "openSUSE-SU-2019:1811", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html" }, { "name": "openSUSE-SU-2019:1813", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.html" }, { "name": "[debian-lts-announce] 20190802 [SECURITY] [DLA 1869-1] firefox-esr security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00001.html" }, { "name": "[debian-lts-announce] 20190802 [SECURITY] [DLA 1870-1] thunderbird security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00002.html" }, { "name": "GLSA-201908-12", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/201908-12" }, { "name": "GLSA-201908-20", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/201908-20" }, { "name": "openSUSE-SU-2019:1990", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00073.html" }, { "name": "openSUSE-SU-2019:2248", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html" }, { "name": "openSUSE-SU-2019:2249", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@mozilla.org", "ID": "CVE-2019-11730", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Firefox ESR", "version": { "version_data": [ { "version_affected": "\u003c", "version_value": "60.8" } ] } }, { "product_name": "Firefox", "version": { "version_data": [ { "version_affected": "\u003c", "version_value": "68" } ] } }, { "product_name": "Thunderbird", "version": { "version_data": [ { "version_affected": "\u003c", "version_value": "60.8" } ] } } ] }, "vendor_name": "Mozilla" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "A vulnerability exists where if a user opens a locally saved HTML file, this file can use file: URIs to access other files in the same directory or sub-directories if the names are known or guessed. The Fetch API can then be used to read the contents of any files stored in these directories and they may uploaded to a server. It was demonstrated that in combination with a popular Android messaging app, if a malicious HTML attachment is sent to a user and they opened that attachment in Firefox, due to that app\u0027s predictable pattern for locally-saved file names, it is possible to read attachments the victim received from other correspondents. This vulnerability affects Firefox ESR \u003c 60.8, Firefox \u003c 68, and Thunderbird \u003c 60.8." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Same-origin policy treats all files in a directory as having the same-origin" } ] } ] }, "references": { "reference_data": [ { "name": "https://www.mozilla.org/security/advisories/mfsa2019-21/", "refsource": "MISC", "url": "https://www.mozilla.org/security/advisories/mfsa2019-21/" }, { "name": "https://www.mozilla.org/security/advisories/mfsa2019-22/", "refsource": "MISC", "url": "https://www.mozilla.org/security/advisories/mfsa2019-22/" }, { "name": "https://www.mozilla.org/security/advisories/mfsa2019-23/", "refsource": "MISC", "url": "https://www.mozilla.org/security/advisories/mfsa2019-23/" }, { "name": "https://bugzilla.mozilla.org/show_bug.cgi?id=1558299", "refsource": "MISC", "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1558299" }, { "name": "openSUSE-SU-2019:1811", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html" }, { "name": "openSUSE-SU-2019:1813", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.html" }, { "name": "[debian-lts-announce] 20190802 [SECURITY] [DLA 1869-1] firefox-esr security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00001.html" }, { "name": "[debian-lts-announce] 20190802 [SECURITY] [DLA 1870-1] thunderbird security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00002.html" }, { "name": "GLSA-201908-12", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201908-12" }, { "name": "GLSA-201908-20", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201908-20" }, { "name": "openSUSE-SU-2019:1990", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00073.html" }, { "name": "openSUSE-SU-2019:2248", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html" }, { "name": "openSUSE-SU-2019:2249", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html" } ] } } } }, "cveMetadata": { "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "assignerShortName": "mozilla", "cveId": "CVE-2019-11730", "datePublished": "2019-07-23T13:16:08", "dateReserved": "2019-05-03T00:00:00", "dateUpdated": "2024-08-04T23:03:32.603Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2019-11728
Vulnerability from cvelistv5
Published
2019-07-23 13:16
Modified
2024-08-04 23:03
Severity ?
EPSS score ?
Summary
The HTTP Alternative Services header, Alt-Svc, can be used by a malicious site to scan all TCP ports of any host that the accessible to a user when web content is loaded. This vulnerability affects Firefox < 68.
References
▼ | URL | Tags |
---|---|---|
https://www.mozilla.org/security/advisories/mfsa2019-21/ | x_refsource_MISC | |
https://bugzilla.mozilla.org/show_bug.cgi?id=1552993 | x_refsource_MISC | |
https://security.gentoo.org/glsa/201908-12 | vendor-advisory, x_refsource_GENTOO | |
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html | vendor-advisory, x_refsource_SUSE | |
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html | vendor-advisory, x_refsource_SUSE | |
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html | vendor-advisory, x_refsource_SUSE | |
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html | vendor-advisory, x_refsource_SUSE |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T23:03:32.583Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.mozilla.org/security/advisories/mfsa2019-21/" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1552993" }, { "name": "GLSA-201908-12", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/201908-12" }, { "name": "openSUSE-SU-2019:2248", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html" }, { "name": "openSUSE-SU-2019:2249", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html" }, { "name": "openSUSE-SU-2019:2251", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html" }, { "name": "openSUSE-SU-2019:2260", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Firefox", "vendor": "Mozilla", "versions": [ { "lessThan": "68", "status": "affected", "version": "unspecified", "versionType": "custom" } ] } ], "descriptions": [ { "lang": "en", "value": "The HTTP Alternative Services header, Alt-Svc, can be used by a malicious site to scan all TCP ports of any host that the accessible to a user when web content is loaded. This vulnerability affects Firefox \u003c 68." } ], "problemTypes": [ { "descriptions": [ { "description": "Port scanning through Alt-Svc header", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2019-10-06T14:06:13", "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://www.mozilla.org/security/advisories/mfsa2019-21/" }, { "tags": [ "x_refsource_MISC" ], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1552993" }, { "name": "GLSA-201908-12", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/201908-12" }, { "name": "openSUSE-SU-2019:2248", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html" }, { "name": "openSUSE-SU-2019:2249", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html" }, { "name": "openSUSE-SU-2019:2251", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html" }, { "name": "openSUSE-SU-2019:2260", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@mozilla.org", "ID": "CVE-2019-11728", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Firefox", "version": { "version_data": [ { "version_affected": "\u003c", "version_value": "68" } ] } } ] }, "vendor_name": "Mozilla" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "The HTTP Alternative Services header, Alt-Svc, can be used by a malicious site to scan all TCP ports of any host that the accessible to a user when web content is loaded. This vulnerability affects Firefox \u003c 68." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Port scanning through Alt-Svc header" } ] } ] }, "references": { "reference_data": [ { "name": "https://www.mozilla.org/security/advisories/mfsa2019-21/", "refsource": "MISC", "url": "https://www.mozilla.org/security/advisories/mfsa2019-21/" }, { "name": "https://bugzilla.mozilla.org/show_bug.cgi?id=1552993", "refsource": "MISC", "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1552993" }, { "name": "GLSA-201908-12", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201908-12" }, { "name": "openSUSE-SU-2019:2248", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html" }, { "name": "openSUSE-SU-2019:2249", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html" }, { "name": "openSUSE-SU-2019:2251", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html" }, { "name": "openSUSE-SU-2019:2260", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html" } ] } } } }, "cveMetadata": { "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "assignerShortName": "mozilla", "cveId": "CVE-2019-11728", "datePublished": "2019-07-23T13:16:34", "dateReserved": "2019-05-03T00:00:00", "dateUpdated": "2024-08-04T23:03:32.583Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2019-11721
Vulnerability from cvelistv5
Published
2019-07-23 13:17
Modified
2024-08-04 23:03
Severity ?
EPSS score ?
Summary
The unicode latin 'kra' character can be used to spoof a standard 'k' character in the addressbar. This allows for domain spoofing attacks as do not display as punycode text, allowing for user confusion. This vulnerability affects Firefox < 68.
References
▼ | URL | Tags |
---|---|---|
https://www.mozilla.org/security/advisories/mfsa2019-21/ | x_refsource_MISC | |
https://bugzilla.mozilla.org/show_bug.cgi?id=1256009 | x_refsource_MISC | |
https://security.gentoo.org/glsa/201908-12 | vendor-advisory, x_refsource_GENTOO | |
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html | vendor-advisory, x_refsource_SUSE | |
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html | vendor-advisory, x_refsource_SUSE | |
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html | vendor-advisory, x_refsource_SUSE | |
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html | vendor-advisory, x_refsource_SUSE |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T23:03:32.542Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.mozilla.org/security/advisories/mfsa2019-21/" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1256009" }, { "name": "GLSA-201908-12", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/201908-12" }, { "name": "openSUSE-SU-2019:2248", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html" }, { "name": "openSUSE-SU-2019:2249", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html" }, { "name": "openSUSE-SU-2019:2251", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html" }, { "name": "openSUSE-SU-2019:2260", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Firefox", "vendor": "Mozilla", "versions": [ { "lessThan": "68", "status": "affected", "version": "unspecified", "versionType": "custom" } ] } ], "descriptions": [ { "lang": "en", "value": "The unicode latin \u0027kra\u0027 character can be used to spoof a standard \u0027k\u0027 character in the addressbar. This allows for domain spoofing attacks as do not display as punycode text, allowing for user confusion. This vulnerability affects Firefox \u003c 68." } ], "problemTypes": [ { "descriptions": [ { "description": "Domain spoofing through unicode latin \u0027kra\u0027 character", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2019-10-06T14:06:14", "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://www.mozilla.org/security/advisories/mfsa2019-21/" }, { "tags": [ "x_refsource_MISC" ], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1256009" }, { "name": "GLSA-201908-12", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/201908-12" }, { "name": "openSUSE-SU-2019:2248", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html" }, { "name": "openSUSE-SU-2019:2249", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html" }, { "name": "openSUSE-SU-2019:2251", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html" }, { "name": "openSUSE-SU-2019:2260", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@mozilla.org", "ID": "CVE-2019-11721", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Firefox", "version": { "version_data": [ { "version_affected": "\u003c", "version_value": "68" } ] } } ] }, "vendor_name": "Mozilla" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "The unicode latin \u0027kra\u0027 character can be used to spoof a standard \u0027k\u0027 character in the addressbar. This allows for domain spoofing attacks as do not display as punycode text, allowing for user confusion. This vulnerability affects Firefox \u003c 68." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Domain spoofing through unicode latin \u0027kra\u0027 character" } ] } ] }, "references": { "reference_data": [ { "name": "https://www.mozilla.org/security/advisories/mfsa2019-21/", "refsource": "MISC", "url": "https://www.mozilla.org/security/advisories/mfsa2019-21/" }, { "name": "https://bugzilla.mozilla.org/show_bug.cgi?id=1256009", "refsource": "MISC", "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1256009" }, { "name": "GLSA-201908-12", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201908-12" }, { "name": "openSUSE-SU-2019:2248", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html" }, { "name": "openSUSE-SU-2019:2249", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html" }, { "name": "openSUSE-SU-2019:2251", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html" }, { "name": "openSUSE-SU-2019:2260", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html" } ] } } } }, "cveMetadata": { "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "assignerShortName": "mozilla", "cveId": "CVE-2019-11721", "datePublished": "2019-07-23T13:17:26", "dateReserved": "2019-05-03T00:00:00", "dateUpdated": "2024-08-04T23:03:32.542Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2019-9811
Vulnerability from cvelistv5
Published
2019-07-23 13:26
Modified
2024-08-04 22:01
Severity ?
EPSS score ?
Summary
As part of a winning Pwn2Own entry, a researcher demonstrated a sandbox escape by installing a malicious language pack and then opening a browser feature that used the compromised translation. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.
References
Impacted products
▼ | Vendor | Product |
---|---|---|
Mozilla | Firefox ESR | |
Mozilla | Firefox | |
Mozilla | Thunderbird |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T22:01:54.737Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.mozilla.org/security/advisories/mfsa2019-21/" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.mozilla.org/security/advisories/mfsa2019-22/" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.mozilla.org/security/advisories/mfsa2019-23/" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1538007" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1539598" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1563327" }, { "name": "openSUSE-SU-2019:1811", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html" }, { "name": "openSUSE-SU-2019:1813", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.html" }, { "name": "[debian-lts-announce] 20190802 [SECURITY] [DLA 1869-1] firefox-esr security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00001.html" }, { "name": "[debian-lts-announce] 20190802 [SECURITY] [DLA 1870-1] thunderbird security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00002.html" }, { "name": "GLSA-201908-12", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/201908-12" }, { "name": "GLSA-201908-20", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/201908-20" }, { "name": "openSUSE-SU-2019:1990", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00073.html" }, { "name": "openSUSE-SU-2019:2251", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html" }, { "name": "openSUSE-SU-2019:2260", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Firefox ESR", "vendor": "Mozilla", "versions": [ { "lessThan": "60.8", "status": "affected", "version": "unspecified", "versionType": "custom" } ] }, { "product": "Firefox", "vendor": "Mozilla", "versions": [ { "lessThan": "68", "status": "affected", "version": "unspecified", "versionType": "custom" } ] }, { "product": "Thunderbird", "vendor": "Mozilla", "versions": [ { "lessThan": "60.8", "status": "affected", "version": "unspecified", "versionType": "custom" } ] } ], "descriptions": [ { "lang": "en", "value": "As part of a winning Pwn2Own entry, a researcher demonstrated a sandbox escape by installing a malicious language pack and then opening a browser feature that used the compromised translation. This vulnerability affects Firefox ESR \u003c 60.8, Firefox \u003c 68, and Thunderbird \u003c 60.8." } ], "problemTypes": [ { "descriptions": [ { "description": "Sandbox escape via installation of malicious language pack", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2019-10-06T14:06:25", "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://www.mozilla.org/security/advisories/mfsa2019-21/" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.mozilla.org/security/advisories/mfsa2019-22/" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.mozilla.org/security/advisories/mfsa2019-23/" }, { "tags": [ "x_refsource_MISC" ], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1538007" }, { "tags": [ "x_refsource_MISC" ], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1539598" }, { "tags": [ "x_refsource_MISC" ], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1563327" }, { "name": "openSUSE-SU-2019:1811", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html" }, { "name": "openSUSE-SU-2019:1813", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.html" }, { "name": "[debian-lts-announce] 20190802 [SECURITY] [DLA 1869-1] firefox-esr security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00001.html" }, { "name": "[debian-lts-announce] 20190802 [SECURITY] [DLA 1870-1] thunderbird security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00002.html" }, { "name": "GLSA-201908-12", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/201908-12" }, { "name": "GLSA-201908-20", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/201908-20" }, { "name": "openSUSE-SU-2019:1990", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00073.html" }, { "name": "openSUSE-SU-2019:2251", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html" }, { "name": "openSUSE-SU-2019:2260", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@mozilla.org", "ID": "CVE-2019-9811", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Firefox ESR", "version": { "version_data": [ { "version_affected": "\u003c", "version_value": "60.8" } ] } }, { "product_name": "Firefox", "version": { "version_data": [ { "version_affected": "\u003c", "version_value": "68" } ] } }, { "product_name": "Thunderbird", "version": { "version_data": [ { "version_affected": "\u003c", "version_value": "60.8" } ] } } ] }, "vendor_name": "Mozilla" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "As part of a winning Pwn2Own entry, a researcher demonstrated a sandbox escape by installing a malicious language pack and then opening a browser feature that used the compromised translation. This vulnerability affects Firefox ESR \u003c 60.8, Firefox \u003c 68, and Thunderbird \u003c 60.8." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Sandbox escape via installation of malicious language pack" } ] } ] }, "references": { "reference_data": [ { "name": "https://www.mozilla.org/security/advisories/mfsa2019-21/", "refsource": "MISC", "url": "https://www.mozilla.org/security/advisories/mfsa2019-21/" }, { "name": "https://www.mozilla.org/security/advisories/mfsa2019-22/", "refsource": "MISC", "url": "https://www.mozilla.org/security/advisories/mfsa2019-22/" }, { "name": "https://www.mozilla.org/security/advisories/mfsa2019-23/", "refsource": "MISC", "url": "https://www.mozilla.org/security/advisories/mfsa2019-23/" }, { "name": "https://bugzilla.mozilla.org/show_bug.cgi?id=1538007", "refsource": "MISC", "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1538007" }, { "name": "https://bugzilla.mozilla.org/show_bug.cgi?id=1539598", "refsource": "MISC", "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1539598" }, { "name": "https://bugzilla.mozilla.org/show_bug.cgi?id=1563327", "refsource": "MISC", "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1563327" }, { "name": "openSUSE-SU-2019:1811", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html" }, { "name": "openSUSE-SU-2019:1813", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.html" }, { "name": "[debian-lts-announce] 20190802 [SECURITY] [DLA 1869-1] firefox-esr security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00001.html" }, { "name": "[debian-lts-announce] 20190802 [SECURITY] [DLA 1870-1] thunderbird security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00002.html" }, { "name": "GLSA-201908-12", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201908-12" }, { "name": "GLSA-201908-20", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201908-20" }, { "name": "openSUSE-SU-2019:1990", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00073.html" }, { "name": "openSUSE-SU-2019:2251", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html" }, { "name": "openSUSE-SU-2019:2260", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html" } ] } } } }, "cveMetadata": { "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "assignerShortName": "mozilla", "cveId": "CVE-2019-9811", "datePublished": "2019-07-23T13:26:03", "dateReserved": "2019-03-14T00:00:00", "dateUpdated": "2024-08-04T22:01:54.737Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2019-11715
Vulnerability from cvelistv5
Published
2019-07-23 13:18
Modified
2024-08-04 23:03
Severity ?
EPSS score ?
Summary
Due to an error while parsing page content, it is possible for properly sanitized user input to be misinterpreted and lead to XSS hazards on web sites in certain circumstances. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.
References
Impacted products
▼ | Vendor | Product |
---|---|---|
Mozilla | Firefox ESR | |
Mozilla | Firefox | |
Mozilla | Thunderbird |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T23:03:32.562Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.mozilla.org/security/advisories/mfsa2019-21/" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.mozilla.org/security/advisories/mfsa2019-22/" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.mozilla.org/security/advisories/mfsa2019-23/" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1555523" }, { "name": "openSUSE-SU-2019:1811", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html" }, { "name": "openSUSE-SU-2019:1813", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.html" }, { "name": "[debian-lts-announce] 20190802 [SECURITY] [DLA 1869-1] firefox-esr security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00001.html" }, { "name": "[debian-lts-announce] 20190802 [SECURITY] [DLA 1870-1] thunderbird security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00002.html" }, { "name": "GLSA-201908-12", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/201908-12" }, { "name": "GLSA-201908-20", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/201908-20" }, { "name": "openSUSE-SU-2019:1990", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00073.html" }, { "name": "openSUSE-SU-2019:2248", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html" }, { "name": "openSUSE-SU-2019:2249", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Firefox ESR", "vendor": "Mozilla", "versions": [ { "lessThan": "60.8", "status": "affected", "version": "unspecified", "versionType": "custom" } ] }, { "product": "Firefox", "vendor": "Mozilla", "versions": [ { "lessThan": "68", "status": "affected", "version": "unspecified", "versionType": "custom" } ] }, { "product": "Thunderbird", "vendor": "Mozilla", "versions": [ { "lessThan": "60.8", "status": "affected", "version": "unspecified", "versionType": "custom" } ] } ], "descriptions": [ { "lang": "en", "value": "Due to an error while parsing page content, it is possible for properly sanitized user input to be misinterpreted and lead to XSS hazards on web sites in certain circumstances. This vulnerability affects Firefox ESR \u003c 60.8, Firefox \u003c 68, and Thunderbird \u003c 60.8." } ], "problemTypes": [ { "descriptions": [ { "description": "HTML parsing error can contribute to content XSS", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2019-10-04T17:06:50", "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://www.mozilla.org/security/advisories/mfsa2019-21/" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.mozilla.org/security/advisories/mfsa2019-22/" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.mozilla.org/security/advisories/mfsa2019-23/" }, { "tags": [ "x_refsource_MISC" ], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1555523" }, { "name": "openSUSE-SU-2019:1811", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html" }, { "name": "openSUSE-SU-2019:1813", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.html" }, { "name": "[debian-lts-announce] 20190802 [SECURITY] [DLA 1869-1] firefox-esr security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00001.html" }, { "name": "[debian-lts-announce] 20190802 [SECURITY] [DLA 1870-1] thunderbird security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00002.html" }, { "name": "GLSA-201908-12", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/201908-12" }, { "name": "GLSA-201908-20", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/201908-20" }, { "name": "openSUSE-SU-2019:1990", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00073.html" }, { "name": "openSUSE-SU-2019:2248", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html" }, { "name": "openSUSE-SU-2019:2249", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@mozilla.org", "ID": "CVE-2019-11715", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Firefox ESR", "version": { "version_data": [ { "version_affected": "\u003c", "version_value": "60.8" } ] } }, { "product_name": "Firefox", "version": { "version_data": [ { "version_affected": "\u003c", "version_value": "68" } ] } }, { "product_name": "Thunderbird", "version": { "version_data": [ { "version_affected": "\u003c", "version_value": "60.8" } ] } } ] }, "vendor_name": "Mozilla" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Due to an error while parsing page content, it is possible for properly sanitized user input to be misinterpreted and lead to XSS hazards on web sites in certain circumstances. This vulnerability affects Firefox ESR \u003c 60.8, Firefox \u003c 68, and Thunderbird \u003c 60.8." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "HTML parsing error can contribute to content XSS" } ] } ] }, "references": { "reference_data": [ { "name": "https://www.mozilla.org/security/advisories/mfsa2019-21/", "refsource": "MISC", "url": "https://www.mozilla.org/security/advisories/mfsa2019-21/" }, { "name": "https://www.mozilla.org/security/advisories/mfsa2019-22/", "refsource": "MISC", "url": "https://www.mozilla.org/security/advisories/mfsa2019-22/" }, { "name": "https://www.mozilla.org/security/advisories/mfsa2019-23/", "refsource": "MISC", "url": "https://www.mozilla.org/security/advisories/mfsa2019-23/" }, { "name": "https://bugzilla.mozilla.org/show_bug.cgi?id=1555523", "refsource": "MISC", "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1555523" }, { "name": "openSUSE-SU-2019:1811", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html" }, { "name": "openSUSE-SU-2019:1813", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.html" }, { "name": "[debian-lts-announce] 20190802 [SECURITY] [DLA 1869-1] firefox-esr security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00001.html" }, { "name": "[debian-lts-announce] 20190802 [SECURITY] [DLA 1870-1] thunderbird security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00002.html" }, { "name": "GLSA-201908-12", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201908-12" }, { "name": "GLSA-201908-20", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201908-20" }, { "name": "openSUSE-SU-2019:1990", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00073.html" }, { "name": "openSUSE-SU-2019:2248", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html" }, { "name": "openSUSE-SU-2019:2249", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html" } ] } } } }, "cveMetadata": { "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "assignerShortName": "mozilla", "cveId": "CVE-2019-11715", "datePublished": "2019-07-23T13:18:29", "dateReserved": "2019-05-03T00:00:00", "dateUpdated": "2024-08-04T23:03:32.562Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2019-11713
Vulnerability from cvelistv5
Published
2019-07-23 13:18
Modified
2024-08-04 23:03
Severity ?
EPSS score ?
Summary
A use-after-free vulnerability can occur in HTTP/2 when a cached HTTP/2 stream is closed while still in use, resulting in a potentially exploitable crash. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.
References
Impacted products
▼ | Vendor | Product |
---|---|---|
Mozilla | Firefox ESR | |
Mozilla | Firefox | |
Mozilla | Thunderbird |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T23:03:32.443Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.mozilla.org/security/advisories/mfsa2019-21/" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.mozilla.org/security/advisories/mfsa2019-22/" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.mozilla.org/security/advisories/mfsa2019-23/" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1528481" }, { "name": "openSUSE-SU-2019:1811", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html" }, { "name": "openSUSE-SU-2019:1813", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.html" }, { "name": "[debian-lts-announce] 20190802 [SECURITY] [DLA 1869-1] firefox-esr security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00001.html" }, { "name": "[debian-lts-announce] 20190802 [SECURITY] [DLA 1870-1] thunderbird security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00002.html" }, { "name": "GLSA-201908-12", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/201908-12" }, { "name": "GLSA-201908-20", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/201908-20" }, { "name": "openSUSE-SU-2019:1990", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00073.html" }, { "name": "openSUSE-SU-2019:2248", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html" }, { "name": "openSUSE-SU-2019:2249", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Firefox ESR", "vendor": "Mozilla", "versions": [ { "lessThan": "60.8", "status": "affected", "version": "unspecified", "versionType": "custom" } ] }, { "product": "Firefox", "vendor": "Mozilla", "versions": [ { "lessThan": "68", "status": "affected", "version": "unspecified", "versionType": "custom" } ] }, { "product": "Thunderbird", "vendor": "Mozilla", "versions": [ { "lessThan": "60.8", "status": "affected", "version": "unspecified", "versionType": "custom" } ] } ], "descriptions": [ { "lang": "en", "value": "A use-after-free vulnerability can occur in HTTP/2 when a cached HTTP/2 stream is closed while still in use, resulting in a potentially exploitable crash. This vulnerability affects Firefox ESR \u003c 60.8, Firefox \u003c 68, and Thunderbird \u003c 60.8." } ], "problemTypes": [ { "descriptions": [ { "description": "Use-after-free with HTTP/2 cached stream", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2019-10-04T17:06:39", "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://www.mozilla.org/security/advisories/mfsa2019-21/" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.mozilla.org/security/advisories/mfsa2019-22/" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.mozilla.org/security/advisories/mfsa2019-23/" }, { "tags": [ "x_refsource_MISC" ], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1528481" }, { "name": "openSUSE-SU-2019:1811", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html" }, { "name": "openSUSE-SU-2019:1813", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.html" }, { "name": "[debian-lts-announce] 20190802 [SECURITY] [DLA 1869-1] firefox-esr security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00001.html" }, { "name": "[debian-lts-announce] 20190802 [SECURITY] [DLA 1870-1] thunderbird security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00002.html" }, { "name": "GLSA-201908-12", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/201908-12" }, { "name": "GLSA-201908-20", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/201908-20" }, { "name": "openSUSE-SU-2019:1990", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00073.html" }, { "name": "openSUSE-SU-2019:2248", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html" }, { "name": "openSUSE-SU-2019:2249", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@mozilla.org", "ID": "CVE-2019-11713", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Firefox ESR", "version": { "version_data": [ { "version_affected": "\u003c", "version_value": "60.8" } ] } }, { "product_name": "Firefox", "version": { "version_data": [ { "version_affected": "\u003c", "version_value": "68" } ] } }, { "product_name": "Thunderbird", "version": { "version_data": [ { "version_affected": "\u003c", "version_value": "60.8" } ] } } ] }, "vendor_name": "Mozilla" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "A use-after-free vulnerability can occur in HTTP/2 when a cached HTTP/2 stream is closed while still in use, resulting in a potentially exploitable crash. This vulnerability affects Firefox ESR \u003c 60.8, Firefox \u003c 68, and Thunderbird \u003c 60.8." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Use-after-free with HTTP/2 cached stream" } ] } ] }, "references": { "reference_data": [ { "name": "https://www.mozilla.org/security/advisories/mfsa2019-21/", "refsource": "MISC", "url": "https://www.mozilla.org/security/advisories/mfsa2019-21/" }, { "name": "https://www.mozilla.org/security/advisories/mfsa2019-22/", "refsource": "MISC", "url": "https://www.mozilla.org/security/advisories/mfsa2019-22/" }, { "name": "https://www.mozilla.org/security/advisories/mfsa2019-23/", "refsource": "MISC", "url": "https://www.mozilla.org/security/advisories/mfsa2019-23/" }, { "name": "https://bugzilla.mozilla.org/show_bug.cgi?id=1528481", "refsource": "MISC", "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1528481" }, { "name": "openSUSE-SU-2019:1811", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html" }, { "name": "openSUSE-SU-2019:1813", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.html" }, { "name": "[debian-lts-announce] 20190802 [SECURITY] [DLA 1869-1] firefox-esr security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00001.html" }, { "name": "[debian-lts-announce] 20190802 [SECURITY] [DLA 1870-1] thunderbird security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00002.html" }, { "name": "GLSA-201908-12", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201908-12" }, { "name": "GLSA-201908-20", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201908-20" }, { "name": "openSUSE-SU-2019:1990", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00073.html" }, { "name": "openSUSE-SU-2019:2248", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html" }, { "name": "openSUSE-SU-2019:2249", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html" } ] } } } }, "cveMetadata": { "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "assignerShortName": "mozilla", "cveId": "CVE-2019-11713", "datePublished": "2019-07-23T13:18:51", "dateReserved": "2019-05-03T00:00:00", "dateUpdated": "2024-08-04T23:03:32.443Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2019-11720
Vulnerability from cvelistv5
Published
2019-07-23 13:17
Modified
2024-08-04 23:03
Severity ?
EPSS score ?
Summary
Some unicode characters are incorrectly treated as whitespace during the parsing of web content instead of triggering parsing errors. This allows malicious code to then be processed, evading cross-site scripting (XSS) filtering. This vulnerability affects Firefox < 68.
References
▼ | URL | Tags |
---|---|---|
https://www.mozilla.org/security/advisories/mfsa2019-21/ | x_refsource_MISC | |
https://bugzilla.mozilla.org/show_bug.cgi?id=1556230 | x_refsource_MISC | |
https://security.gentoo.org/glsa/201908-12 | vendor-advisory, x_refsource_GENTOO | |
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html | vendor-advisory, x_refsource_SUSE | |
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html | vendor-advisory, x_refsource_SUSE | |
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html | vendor-advisory, x_refsource_SUSE | |
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html | vendor-advisory, x_refsource_SUSE |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T23:03:32.631Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.mozilla.org/security/advisories/mfsa2019-21/" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1556230" }, { "name": "GLSA-201908-12", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/201908-12" }, { "name": "openSUSE-SU-2019:2248", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html" }, { "name": "openSUSE-SU-2019:2249", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html" }, { "name": "openSUSE-SU-2019:2251", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html" }, { "name": "openSUSE-SU-2019:2260", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Firefox", "vendor": "Mozilla", "versions": [ { "lessThan": "68", "status": "affected", "version": "unspecified", "versionType": "custom" } ] } ], "descriptions": [ { "lang": "en", "value": "Some unicode characters are incorrectly treated as whitespace during the parsing of web content instead of triggering parsing errors. This allows malicious code to then be processed, evading cross-site scripting (XSS) filtering. This vulnerability affects Firefox \u003c 68." } ], "problemTypes": [ { "descriptions": [ { "description": "Character encoding XSS vulnerability", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2019-10-06T14:06:19", "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://www.mozilla.org/security/advisories/mfsa2019-21/" }, { "tags": [ "x_refsource_MISC" ], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1556230" }, { "name": "GLSA-201908-12", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/201908-12" }, { "name": "openSUSE-SU-2019:2248", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html" }, { "name": "openSUSE-SU-2019:2249", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html" }, { "name": "openSUSE-SU-2019:2251", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html" }, { "name": "openSUSE-SU-2019:2260", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@mozilla.org", "ID": "CVE-2019-11720", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Firefox", "version": { "version_data": [ { "version_affected": "\u003c", "version_value": "68" } ] } } ] }, "vendor_name": "Mozilla" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Some unicode characters are incorrectly treated as whitespace during the parsing of web content instead of triggering parsing errors. This allows malicious code to then be processed, evading cross-site scripting (XSS) filtering. This vulnerability affects Firefox \u003c 68." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Character encoding XSS vulnerability" } ] } ] }, "references": { "reference_data": [ { "name": "https://www.mozilla.org/security/advisories/mfsa2019-21/", "refsource": "MISC", "url": "https://www.mozilla.org/security/advisories/mfsa2019-21/" }, { "name": "https://bugzilla.mozilla.org/show_bug.cgi?id=1556230", "refsource": "MISC", "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1556230" }, { "name": "GLSA-201908-12", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201908-12" }, { "name": "openSUSE-SU-2019:2248", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html" }, { "name": "openSUSE-SU-2019:2249", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html" }, { "name": "openSUSE-SU-2019:2251", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html" }, { "name": "openSUSE-SU-2019:2260", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html" } ] } } } }, "cveMetadata": { "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "assignerShortName": "mozilla", "cveId": "CVE-2019-11720", "datePublished": "2019-07-23T13:17:35", "dateReserved": "2019-05-03T00:00:00", "dateUpdated": "2024-08-04T23:03:32.631Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2019-11710
Vulnerability from cvelistv5
Published
2019-07-23 13:19
Modified
2024-08-04 23:03
Severity ?
EPSS score ?
Summary
Mozilla developers and community members reported memory safety bugs present in Firefox 67. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox < 68.
References
▼ | URL | Tags |
---|---|---|
https://www.mozilla.org/security/advisories/mfsa2019-21/ | x_refsource_MISC | |
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1549768%2C1548611%2C1533842%2C1537692%2C1540590%2C1551907%2C1510345%2C1535482%2C1535848%2C1547472%2C1547760%2C1507696%2C1544180 | x_refsource_MISC | |
https://security.gentoo.org/glsa/201908-12 | vendor-advisory, x_refsource_GENTOO | |
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html | vendor-advisory, x_refsource_SUSE | |
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html | vendor-advisory, x_refsource_SUSE | |
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html | vendor-advisory, x_refsource_SUSE | |
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html | vendor-advisory, x_refsource_SUSE |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T23:03:32.414Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.mozilla.org/security/advisories/mfsa2019-21/" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://bugzilla.mozilla.org/buglist.cgi?bug_id=1549768%2C1548611%2C1533842%2C1537692%2C1540590%2C1551907%2C1510345%2C1535482%2C1535848%2C1547472%2C1547760%2C1507696%2C1544180" }, { "name": "GLSA-201908-12", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/201908-12" }, { "name": "openSUSE-SU-2019:2248", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html" }, { "name": "openSUSE-SU-2019:2249", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html" }, { "name": "openSUSE-SU-2019:2251", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html" }, { "name": "openSUSE-SU-2019:2260", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Firefox", "vendor": "Mozilla", "versions": [ { "lessThan": "68", "status": "affected", "version": "unspecified", "versionType": "custom" } ] } ], "descriptions": [ { "lang": "en", "value": "Mozilla developers and community members reported memory safety bugs present in Firefox 67. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox \u003c 68." } ], "problemTypes": [ { "descriptions": [ { "description": "Memory safety bugs fixed in Firefox 68", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2019-10-06T14:06:27", "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://www.mozilla.org/security/advisories/mfsa2019-21/" }, { "tags": [ "x_refsource_MISC" ], "url": "https://bugzilla.mozilla.org/buglist.cgi?bug_id=1549768%2C1548611%2C1533842%2C1537692%2C1540590%2C1551907%2C1510345%2C1535482%2C1535848%2C1547472%2C1547760%2C1507696%2C1544180" }, { "name": "GLSA-201908-12", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/201908-12" }, { "name": "openSUSE-SU-2019:2248", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html" }, { "name": "openSUSE-SU-2019:2249", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html" }, { "name": "openSUSE-SU-2019:2251", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html" }, { "name": "openSUSE-SU-2019:2260", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@mozilla.org", "ID": "CVE-2019-11710", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Firefox", "version": { "version_data": [ { "version_affected": "\u003c", "version_value": "68" } ] } } ] }, "vendor_name": "Mozilla" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Mozilla developers and community members reported memory safety bugs present in Firefox 67. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox \u003c 68." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Memory safety bugs fixed in Firefox 68" } ] } ] }, "references": { "reference_data": [ { "name": "https://www.mozilla.org/security/advisories/mfsa2019-21/", "refsource": "MISC", "url": "https://www.mozilla.org/security/advisories/mfsa2019-21/" }, { "name": "https://bugzilla.mozilla.org/buglist.cgi?bug_id=1549768%2C1548611%2C1533842%2C1537692%2C1540590%2C1551907%2C1510345%2C1535482%2C1535848%2C1547472%2C1547760%2C1507696%2C1544180", "refsource": "MISC", "url": "https://bugzilla.mozilla.org/buglist.cgi?bug_id=1549768%2C1548611%2C1533842%2C1537692%2C1540590%2C1551907%2C1510345%2C1535482%2C1535848%2C1547472%2C1547760%2C1507696%2C1544180" }, { "name": "GLSA-201908-12", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201908-12" }, { "name": "openSUSE-SU-2019:2248", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html" }, { "name": "openSUSE-SU-2019:2249", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html" }, { "name": "openSUSE-SU-2019:2251", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html" }, { "name": "openSUSE-SU-2019:2260", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html" } ] } } } }, "cveMetadata": { "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "assignerShortName": "mozilla", "cveId": "CVE-2019-11710", "datePublished": "2019-07-23T13:19:42", "dateReserved": "2019-05-03T00:00:00", "dateUpdated": "2024-08-04T23:03:32.414Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2019-11716
Vulnerability from cvelistv5
Published
2019-07-23 13:18
Modified
2024-08-04 23:03
Severity ?
EPSS score ?
Summary
Until explicitly accessed by script, window.globalThis is not enumerable and, as a result, is not visible to code such as Object.getOwnPropertyNames(window). Sites that deploy a sandboxing that depends on enumerating and freezing access to the window object may miss this, allowing their sandboxes to be bypassed. This vulnerability affects Firefox < 68.
References
▼ | URL | Tags |
---|---|---|
https://www.mozilla.org/security/advisories/mfsa2019-21/ | x_refsource_MISC | |
https://bugzilla.mozilla.org/show_bug.cgi?id=1552632 | x_refsource_MISC | |
https://security.gentoo.org/glsa/201908-12 | vendor-advisory, x_refsource_GENTOO | |
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html | vendor-advisory, x_refsource_SUSE | |
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html | vendor-advisory, x_refsource_SUSE | |
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html | vendor-advisory, x_refsource_SUSE | |
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html | vendor-advisory, x_refsource_SUSE |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T23:03:32.449Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.mozilla.org/security/advisories/mfsa2019-21/" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1552632" }, { "name": "GLSA-201908-12", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/201908-12" }, { "name": "openSUSE-SU-2019:2248", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html" }, { "name": "openSUSE-SU-2019:2249", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html" }, { "name": "openSUSE-SU-2019:2251", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html" }, { "name": "openSUSE-SU-2019:2260", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Firefox", "vendor": "Mozilla", "versions": [ { "lessThan": "68", "status": "affected", "version": "unspecified", "versionType": "custom" } ] } ], "descriptions": [ { "lang": "en", "value": "Until explicitly accessed by script, window.globalThis is not enumerable and, as a result, is not visible to code such as Object.getOwnPropertyNames(window). Sites that deploy a sandboxing that depends on enumerating and freezing access to the window object may miss this, allowing their sandboxes to be bypassed. This vulnerability affects Firefox \u003c 68." } ], "problemTypes": [ { "descriptions": [ { "description": "globalThis not enumerable until accessed", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2019-10-06T14:06:15", "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://www.mozilla.org/security/advisories/mfsa2019-21/" }, { "tags": [ "x_refsource_MISC" ], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1552632" }, { "name": "GLSA-201908-12", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/201908-12" }, { "name": "openSUSE-SU-2019:2248", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html" }, { "name": "openSUSE-SU-2019:2249", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html" }, { "name": "openSUSE-SU-2019:2251", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html" }, { "name": "openSUSE-SU-2019:2260", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@mozilla.org", "ID": "CVE-2019-11716", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Firefox", "version": { "version_data": [ { "version_affected": "\u003c", "version_value": "68" } ] } } ] }, "vendor_name": "Mozilla" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Until explicitly accessed by script, window.globalThis is not enumerable and, as a result, is not visible to code such as Object.getOwnPropertyNames(window). Sites that deploy a sandboxing that depends on enumerating and freezing access to the window object may miss this, allowing their sandboxes to be bypassed. This vulnerability affects Firefox \u003c 68." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "globalThis not enumerable until accessed" } ] } ] }, "references": { "reference_data": [ { "name": "https://www.mozilla.org/security/advisories/mfsa2019-21/", "refsource": "MISC", "url": "https://www.mozilla.org/security/advisories/mfsa2019-21/" }, { "name": "https://bugzilla.mozilla.org/show_bug.cgi?id=1552632", "refsource": "MISC", "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1552632" }, { "name": "GLSA-201908-12", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201908-12" }, { "name": "openSUSE-SU-2019:2248", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html" }, { "name": "openSUSE-SU-2019:2249", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html" }, { "name": "openSUSE-SU-2019:2251", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html" }, { "name": "openSUSE-SU-2019:2260", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html" } ] } } } }, "cveMetadata": { "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "assignerShortName": "mozilla", "cveId": "CVE-2019-11716", "datePublished": "2019-07-23T13:18:19", "dateReserved": "2019-05-03T00:00:00", "dateUpdated": "2024-08-04T23:03:32.449Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2019-11724
Vulnerability from cvelistv5
Published
2019-07-23 13:17
Modified
2024-08-04 23:03
Severity ?
EPSS score ?
Summary
Application permissions give additional remote troubleshooting permission to the site input.mozilla.org, which has been retired and now redirects to another site. This additional permission is unnecessary and is a potential vector for malicious attacks. This vulnerability affects Firefox < 68.
References
▼ | URL | Tags |
---|---|---|
https://www.mozilla.org/security/advisories/mfsa2019-21/ | x_refsource_MISC | |
https://bugzilla.mozilla.org/show_bug.cgi?id=1512511 | x_refsource_MISC | |
https://security.gentoo.org/glsa/201908-12 | vendor-advisory, x_refsource_GENTOO | |
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html | vendor-advisory, x_refsource_SUSE | |
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html | vendor-advisory, x_refsource_SUSE | |
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html | vendor-advisory, x_refsource_SUSE | |
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html | vendor-advisory, x_refsource_SUSE |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T23:03:32.533Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.mozilla.org/security/advisories/mfsa2019-21/" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1512511" }, { "name": "GLSA-201908-12", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/201908-12" }, { "name": "openSUSE-SU-2019:2248", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html" }, { "name": "openSUSE-SU-2019:2249", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html" }, { "name": "openSUSE-SU-2019:2251", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html" }, { "name": "openSUSE-SU-2019:2260", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Firefox", "vendor": "Mozilla", "versions": [ { "lessThan": "68", "status": "affected", "version": "unspecified", "versionType": "custom" } ] } ], "descriptions": [ { "lang": "en", "value": "Application permissions give additional remote troubleshooting permission to the site input.mozilla.org, which has been retired and now redirects to another site. This additional permission is unnecessary and is a potential vector for malicious attacks. This vulnerability affects Firefox \u003c 68." } ], "problemTypes": [ { "descriptions": [ { "description": "Retired site input.mozilla.org has remote troubleshooting permissions", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2019-10-06T14:06:33", "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://www.mozilla.org/security/advisories/mfsa2019-21/" }, { "tags": [ "x_refsource_MISC" ], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1512511" }, { "name": "GLSA-201908-12", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/201908-12" }, { "name": "openSUSE-SU-2019:2248", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html" }, { "name": "openSUSE-SU-2019:2249", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html" }, { "name": "openSUSE-SU-2019:2251", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html" }, { "name": "openSUSE-SU-2019:2260", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@mozilla.org", "ID": "CVE-2019-11724", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Firefox", "version": { "version_data": [ { "version_affected": "\u003c", "version_value": "68" } ] } } ] }, "vendor_name": "Mozilla" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Application permissions give additional remote troubleshooting permission to the site input.mozilla.org, which has been retired and now redirects to another site. This additional permission is unnecessary and is a potential vector for malicious attacks. This vulnerability affects Firefox \u003c 68." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Retired site input.mozilla.org has remote troubleshooting permissions" } ] } ] }, "references": { "reference_data": [ { "name": "https://www.mozilla.org/security/advisories/mfsa2019-21/", "refsource": "MISC", "url": "https://www.mozilla.org/security/advisories/mfsa2019-21/" }, { "name": "https://bugzilla.mozilla.org/show_bug.cgi?id=1512511", "refsource": "MISC", "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1512511" }, { "name": "GLSA-201908-12", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201908-12" }, { "name": "openSUSE-SU-2019:2248", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html" }, { "name": "openSUSE-SU-2019:2249", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html" }, { "name": "openSUSE-SU-2019:2251", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html" }, { "name": "openSUSE-SU-2019:2260", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html" } ] } } } }, "cveMetadata": { "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "assignerShortName": "mozilla", "cveId": "CVE-2019-11724", "datePublished": "2019-07-23T13:17:06", "dateReserved": "2019-05-03T00:00:00", "dateUpdated": "2024-08-04T23:03:32.533Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2019-11718
Vulnerability from cvelistv5
Published
2019-07-23 13:17
Modified
2024-08-04 23:03
Severity ?
EPSS score ?
Summary
Activity Stream can display content from sent from the Snippet Service website. This content is written to innerHTML on the Activity Stream page without sanitization, allowing for a potential access to other information available to the Activity Stream, such as browsing history, if the Snipper Service were compromised. This vulnerability affects Firefox < 68.
References
▼ | URL | Tags |
---|---|---|
https://www.mozilla.org/security/advisories/mfsa2019-21/ | x_refsource_MISC | |
https://bugzilla.mozilla.org/show_bug.cgi?id=1408349 | x_refsource_MISC | |
https://security.gentoo.org/glsa/201908-12 | vendor-advisory, x_refsource_GENTOO | |
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html | vendor-advisory, x_refsource_SUSE | |
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html | vendor-advisory, x_refsource_SUSE |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T23:03:32.411Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.mozilla.org/security/advisories/mfsa2019-21/" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1408349" }, { "name": "GLSA-201908-12", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/201908-12" }, { "name": "openSUSE-SU-2019:2251", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html" }, { "name": "openSUSE-SU-2019:2260", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Firefox", "vendor": "Mozilla", "versions": [ { "lessThan": "68", "status": "affected", "version": "unspecified", "versionType": "custom" } ] } ], "descriptions": [ { "lang": "en", "value": "Activity Stream can display content from sent from the Snippet Service website. This content is written to innerHTML on the Activity Stream page without sanitization, allowing for a potential access to other information available to the Activity Stream, such as browsing history, if the Snipper Service were compromised. This vulnerability affects Firefox \u003c 68." } ], "problemTypes": [ { "descriptions": [ { "description": "Activity Stream writes unsanitized content to innerHTML", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2019-10-06T14:06:29", "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://www.mozilla.org/security/advisories/mfsa2019-21/" }, { "tags": [ "x_refsource_MISC" ], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1408349" }, { "name": "GLSA-201908-12", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/201908-12" }, { "name": "openSUSE-SU-2019:2251", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html" }, { "name": "openSUSE-SU-2019:2260", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@mozilla.org", "ID": "CVE-2019-11718", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Firefox", "version": { "version_data": [ { "version_affected": "\u003c", "version_value": "68" } ] } } ] }, "vendor_name": "Mozilla" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Activity Stream can display content from sent from the Snippet Service website. This content is written to innerHTML on the Activity Stream page without sanitization, allowing for a potential access to other information available to the Activity Stream, such as browsing history, if the Snipper Service were compromised. This vulnerability affects Firefox \u003c 68." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Activity Stream writes unsanitized content to innerHTML" } ] } ] }, "references": { "reference_data": [ { "name": "https://www.mozilla.org/security/advisories/mfsa2019-21/", "refsource": "MISC", "url": "https://www.mozilla.org/security/advisories/mfsa2019-21/" }, { "name": "https://bugzilla.mozilla.org/show_bug.cgi?id=1408349", "refsource": "MISC", "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1408349" }, { "name": "GLSA-201908-12", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201908-12" }, { "name": "openSUSE-SU-2019:2251", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html" }, { "name": "openSUSE-SU-2019:2260", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html" } ] } } } }, "cveMetadata": { "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "assignerShortName": "mozilla", "cveId": "CVE-2019-11718", "datePublished": "2019-07-23T13:17:58", "dateReserved": "2019-05-03T00:00:00", "dateUpdated": "2024-08-04T23:03:32.411Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2019-11727
Vulnerability from cvelistv5
Published
2019-07-23 13:16
Modified
2024-08-04 23:03
Severity ?
EPSS score ?
Summary
A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox < 68.
References
▼ | URL | Tags |
---|---|---|
https://www.mozilla.org/security/advisories/mfsa2019-21/ | x_refsource_MISC | |
https://bugzilla.mozilla.org/show_bug.cgi?id=1552208 | x_refsource_MISC | |
https://access.redhat.com/errata/RHSA-2019:1951 | vendor-advisory, x_refsource_REDHAT | |
https://security.gentoo.org/glsa/201908-12 | vendor-advisory, x_refsource_GENTOO | |
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html | vendor-advisory, x_refsource_SUSE | |
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html | vendor-advisory, x_refsource_SUSE | |
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html | vendor-advisory, x_refsource_SUSE | |
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html | vendor-advisory, x_refsource_SUSE | |
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html | vendor-advisory, x_refsource_SUSE |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T23:03:32.496Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.mozilla.org/security/advisories/mfsa2019-21/" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1552208" }, { "name": "RHSA-2019:1951", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2019:1951" }, { "name": "GLSA-201908-12", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/201908-12" }, { "name": "openSUSE-SU-2019:2248", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html" }, { "name": "openSUSE-SU-2019:2249", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html" }, { "name": "openSUSE-SU-2019:2251", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html" }, { "name": "openSUSE-SU-2019:2260", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html" }, { "name": "openSUSE-SU-2020:0008", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Firefox", "vendor": "Mozilla", "versions": [ { "lessThan": "68", "status": "affected", "version": "unspecified", "versionType": "custom" } ] } ], "descriptions": [ { "lang": "en", "value": "A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox \u003c 68." } ], "problemTypes": [ { "descriptions": [ { "description": "PKCS#1 v1.5 signatures can be used for TLS 1.3", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2020-01-12T00:06:04", "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://www.mozilla.org/security/advisories/mfsa2019-21/" }, { "tags": [ "x_refsource_MISC" ], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1552208" }, { "name": "RHSA-2019:1951", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2019:1951" }, { "name": "GLSA-201908-12", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/201908-12" }, { "name": "openSUSE-SU-2019:2248", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html" }, { "name": "openSUSE-SU-2019:2249", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html" }, { "name": "openSUSE-SU-2019:2251", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html" }, { "name": "openSUSE-SU-2019:2260", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html" }, { "name": "openSUSE-SU-2020:0008", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@mozilla.org", "ID": "CVE-2019-11727", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Firefox", "version": { "version_data": [ { "version_affected": "\u003c", "version_value": "68" } ] } } ] }, "vendor_name": "Mozilla" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox \u003c 68." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "PKCS#1 v1.5 signatures can be used for TLS 1.3" } ] } ] }, "references": { "reference_data": [ { "name": "https://www.mozilla.org/security/advisories/mfsa2019-21/", "refsource": "MISC", "url": "https://www.mozilla.org/security/advisories/mfsa2019-21/" }, { "name": "https://bugzilla.mozilla.org/show_bug.cgi?id=1552208", "refsource": "MISC", "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1552208" }, { "name": "RHSA-2019:1951", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2019:1951" }, { "name": "GLSA-201908-12", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201908-12" }, { "name": "openSUSE-SU-2019:2248", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html" }, { "name": "openSUSE-SU-2019:2249", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html" }, { "name": "openSUSE-SU-2019:2251", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html" }, { "name": "openSUSE-SU-2019:2260", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html" }, { "name": "openSUSE-SU-2020:0008", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html" } ] } } } }, "cveMetadata": { "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "assignerShortName": "mozilla", "cveId": "CVE-2019-11727", "datePublished": "2019-07-23T13:16:44", "dateReserved": "2019-05-03T00:00:00", "dateUpdated": "2024-08-04T23:03:32.496Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2019-11709
Vulnerability from cvelistv5
Published
2019-07-23 13:19
Modified
2024-08-04 23:03
Severity ?
EPSS score ?
Summary
Mozilla developers and community members reported memory safety bugs present in Firefox 67 and Firefox ESR 60.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.
References
Impacted products
▼ | Vendor | Product |
---|---|---|
Mozilla | Firefox ESR | |
Mozilla | Firefox | |
Mozilla | Thunderbird |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T23:03:32.452Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.mozilla.org/security/advisories/mfsa2019-21/" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.mozilla.org/security/advisories/mfsa2019-22/" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.mozilla.org/security/advisories/mfsa2019-23/" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://bugzilla.mozilla.org/buglist.cgi?bug_id=1547266%2C1540759%2C1548822%2C1550498%2C1515052%2C1539219%2C1547757%2C1550498%2C1533522" }, { "name": "openSUSE-SU-2019:1811", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html" }, { "name": "openSUSE-SU-2019:1813", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.html" }, { "name": "[debian-lts-announce] 20190802 [SECURITY] [DLA 1869-1] firefox-esr security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00001.html" }, { "name": "[debian-lts-announce] 20190802 [SECURITY] [DLA 1870-1] thunderbird security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00002.html" }, { "name": "GLSA-201908-12", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/201908-12" }, { "name": "GLSA-201908-20", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/201908-20" }, { "name": "openSUSE-SU-2019:1990", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00073.html" }, { "name": "openSUSE-SU-2019:2248", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html" }, { "name": "openSUSE-SU-2019:2249", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Firefox ESR", "vendor": "Mozilla", "versions": [ { "lessThan": "60.8", "status": "affected", "version": "unspecified", "versionType": "custom" } ] }, { "product": "Firefox", "vendor": "Mozilla", "versions": [ { "lessThan": "68", "status": "affected", "version": "unspecified", "versionType": "custom" } ] }, { "product": "Thunderbird", "vendor": "Mozilla", "versions": [ { "lessThan": "60.8", "status": "affected", "version": "unspecified", "versionType": "custom" } ] } ], "descriptions": [ { "lang": "en", "value": "Mozilla developers and community members reported memory safety bugs present in Firefox 67 and Firefox ESR 60.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox ESR \u003c 60.8, Firefox \u003c 68, and Thunderbird \u003c 60.8." } ], "problemTypes": [ { "descriptions": [ { "description": "Memory safety bugs fixed in Firefox 68 and Firefox ESR 60.8", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2019-10-04T17:06:34", "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://www.mozilla.org/security/advisories/mfsa2019-21/" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.mozilla.org/security/advisories/mfsa2019-22/" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.mozilla.org/security/advisories/mfsa2019-23/" }, { "tags": [ "x_refsource_MISC" ], "url": "https://bugzilla.mozilla.org/buglist.cgi?bug_id=1547266%2C1540759%2C1548822%2C1550498%2C1515052%2C1539219%2C1547757%2C1550498%2C1533522" }, { "name": "openSUSE-SU-2019:1811", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html" }, { "name": "openSUSE-SU-2019:1813", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.html" }, { "name": "[debian-lts-announce] 20190802 [SECURITY] [DLA 1869-1] firefox-esr security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00001.html" }, { "name": "[debian-lts-announce] 20190802 [SECURITY] [DLA 1870-1] thunderbird security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00002.html" }, { "name": "GLSA-201908-12", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/201908-12" }, { "name": "GLSA-201908-20", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/201908-20" }, { "name": "openSUSE-SU-2019:1990", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00073.html" }, { "name": "openSUSE-SU-2019:2248", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html" }, { "name": "openSUSE-SU-2019:2249", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@mozilla.org", "ID": "CVE-2019-11709", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Firefox ESR", "version": { "version_data": [ { "version_affected": "\u003c", "version_value": "60.8" } ] } }, { "product_name": "Firefox", "version": { "version_data": [ { "version_affected": "\u003c", "version_value": "68" } ] } }, { "product_name": "Thunderbird", "version": { "version_data": [ { "version_affected": "\u003c", "version_value": "60.8" } ] } } ] }, "vendor_name": "Mozilla" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Mozilla developers and community members reported memory safety bugs present in Firefox 67 and Firefox ESR 60.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox ESR \u003c 60.8, Firefox \u003c 68, and Thunderbird \u003c 60.8." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Memory safety bugs fixed in Firefox 68 and Firefox ESR 60.8" } ] } ] }, "references": { "reference_data": [ { "name": "https://www.mozilla.org/security/advisories/mfsa2019-21/", "refsource": "MISC", "url": "https://www.mozilla.org/security/advisories/mfsa2019-21/" }, { "name": "https://www.mozilla.org/security/advisories/mfsa2019-22/", "refsource": "MISC", "url": "https://www.mozilla.org/security/advisories/mfsa2019-22/" }, { "name": "https://www.mozilla.org/security/advisories/mfsa2019-23/", "refsource": "MISC", "url": "https://www.mozilla.org/security/advisories/mfsa2019-23/" }, { "name": "https://bugzilla.mozilla.org/buglist.cgi?bug_id=1547266%2C1540759%2C1548822%2C1550498%2C1515052%2C1539219%2C1547757%2C1550498%2C1533522", "refsource": "MISC", "url": "https://bugzilla.mozilla.org/buglist.cgi?bug_id=1547266%2C1540759%2C1548822%2C1550498%2C1515052%2C1539219%2C1547757%2C1550498%2C1533522" }, { "name": "openSUSE-SU-2019:1811", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html" }, { "name": "openSUSE-SU-2019:1813", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.html" }, { "name": "[debian-lts-announce] 20190802 [SECURITY] [DLA 1869-1] firefox-esr security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00001.html" }, { "name": "[debian-lts-announce] 20190802 [SECURITY] [DLA 1870-1] thunderbird security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00002.html" }, { "name": "GLSA-201908-12", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201908-12" }, { "name": "GLSA-201908-20", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201908-20" }, { "name": "openSUSE-SU-2019:1990", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00073.html" }, { "name": "openSUSE-SU-2019:2248", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html" }, { "name": "openSUSE-SU-2019:2249", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html" } ] } } } }, "cveMetadata": { "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "assignerShortName": "mozilla", "cveId": "CVE-2019-11709", "datePublished": "2019-07-23T13:19:53", "dateReserved": "2019-05-03T00:00:00", "dateUpdated": "2024-08-04T23:03:32.452Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2019-11725
Vulnerability from cvelistv5
Published
2019-07-23 13:16
Modified
2024-08-04 23:03
Severity ?
EPSS score ?
Summary
When a user navigates to site marked as unsafe by the Safebrowsing API, warning messages are displayed and navigation is interrupted but resources from the same site loaded through websockets are not blocked, leading to the loading of unsafe resources and bypassing safebrowsing protections. This vulnerability affects Firefox < 68.
References
▼ | URL | Tags |
---|---|---|
https://www.mozilla.org/security/advisories/mfsa2019-21/ | x_refsource_MISC | |
https://bugzilla.mozilla.org/show_bug.cgi?id=1483510 | x_refsource_MISC | |
https://security.gentoo.org/glsa/201908-12 | vendor-advisory, x_refsource_GENTOO | |
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html | vendor-advisory, x_refsource_SUSE | |
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html | vendor-advisory, x_refsource_SUSE | |
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html | vendor-advisory, x_refsource_SUSE | |
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html | vendor-advisory, x_refsource_SUSE |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T23:03:32.364Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.mozilla.org/security/advisories/mfsa2019-21/" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1483510" }, { "name": "GLSA-201908-12", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/201908-12" }, { "name": "openSUSE-SU-2019:2248", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html" }, { "name": "openSUSE-SU-2019:2249", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html" }, { "name": "openSUSE-SU-2019:2251", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html" }, { "name": "openSUSE-SU-2019:2260", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Firefox", "vendor": "Mozilla", "versions": [ { "lessThan": "68", "status": "affected", "version": "unspecified", "versionType": "custom" } ] } ], "descriptions": [ { "lang": "en", "value": "When a user navigates to site marked as unsafe by the Safebrowsing API, warning messages are displayed and navigation is interrupted but resources from the same site loaded through websockets are not blocked, leading to the loading of unsafe resources and bypassing safebrowsing protections. This vulnerability affects Firefox \u003c 68." } ], "problemTypes": [ { "descriptions": [ { "description": "Websocket resources bypass safebrowsing protections", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2019-10-06T14:06:30", "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://www.mozilla.org/security/advisories/mfsa2019-21/" }, { "tags": [ "x_refsource_MISC" ], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1483510" }, { "name": "GLSA-201908-12", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/201908-12" }, { "name": "openSUSE-SU-2019:2248", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html" }, { "name": "openSUSE-SU-2019:2249", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html" }, { "name": "openSUSE-SU-2019:2251", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html" }, { "name": "openSUSE-SU-2019:2260", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@mozilla.org", "ID": "CVE-2019-11725", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Firefox", "version": { "version_data": [ { "version_affected": "\u003c", "version_value": "68" } ] } } ] }, "vendor_name": "Mozilla" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "When a user navigates to site marked as unsafe by the Safebrowsing API, warning messages are displayed and navigation is interrupted but resources from the same site loaded through websockets are not blocked, leading to the loading of unsafe resources and bypassing safebrowsing protections. This vulnerability affects Firefox \u003c 68." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Websocket resources bypass safebrowsing protections" } ] } ] }, "references": { "reference_data": [ { "name": "https://www.mozilla.org/security/advisories/mfsa2019-21/", "refsource": "MISC", "url": "https://www.mozilla.org/security/advisories/mfsa2019-21/" }, { "name": "https://bugzilla.mozilla.org/show_bug.cgi?id=1483510", "refsource": "MISC", "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1483510" }, { "name": "GLSA-201908-12", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201908-12" }, { "name": "openSUSE-SU-2019:2248", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html" }, { "name": "openSUSE-SU-2019:2249", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html" }, { "name": "openSUSE-SU-2019:2251", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html" }, { "name": "openSUSE-SU-2019:2260", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html" } ] } } } }, "cveMetadata": { "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "assignerShortName": "mozilla", "cveId": "CVE-2019-11725", "datePublished": "2019-07-23T13:16:52", "dateReserved": "2019-05-03T00:00:00", "dateUpdated": "2024-08-04T23:03:32.364Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2019-11723
Vulnerability from cvelistv5
Published
2019-07-23 13:17
Modified
2024-08-04 23:03
Severity ?
EPSS score ?
Summary
A vulnerability exists during the installation of add-ons where the initial fetch ignored the origin attributes of the browsing context. This could leak cookies in private browsing mode or across different "containers" for people who use the Firefox Multi-Account Containers Web Extension. This vulnerability affects Firefox < 68.
References
▼ | URL | Tags |
---|---|---|
https://www.mozilla.org/security/advisories/mfsa2019-21/ | x_refsource_MISC | |
https://bugzilla.mozilla.org/show_bug.cgi?id=1528335 | x_refsource_MISC | |
https://security.gentoo.org/glsa/201908-12 | vendor-advisory, x_refsource_GENTOO | |
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html | vendor-advisory, x_refsource_SUSE | |
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html | vendor-advisory, x_refsource_SUSE | |
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html | vendor-advisory, x_refsource_SUSE | |
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html | vendor-advisory, x_refsource_SUSE |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T23:03:32.559Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.mozilla.org/security/advisories/mfsa2019-21/" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1528335" }, { "name": "GLSA-201908-12", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/201908-12" }, { "name": "openSUSE-SU-2019:2248", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html" }, { "name": "openSUSE-SU-2019:2249", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html" }, { "name": "openSUSE-SU-2019:2251", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html" }, { "name": "openSUSE-SU-2019:2260", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Firefox", "vendor": "Mozilla", "versions": [ { "lessThan": "68", "status": "affected", "version": "unspecified", "versionType": "custom" } ] } ], "descriptions": [ { "lang": "en", "value": "A vulnerability exists during the installation of add-ons where the initial fetch ignored the origin attributes of the browsing context. This could leak cookies in private browsing mode or across different \"containers\" for people who use the Firefox Multi-Account Containers Web Extension. This vulnerability affects Firefox \u003c 68." } ], "problemTypes": [ { "descriptions": [ { "description": "Cookie leakage during add-on fetching across private browsing boundaries", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2019-10-06T14:06:23", "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://www.mozilla.org/security/advisories/mfsa2019-21/" }, { "tags": [ "x_refsource_MISC" ], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1528335" }, { "name": "GLSA-201908-12", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/201908-12" }, { "name": "openSUSE-SU-2019:2248", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html" }, { "name": "openSUSE-SU-2019:2249", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html" }, { "name": "openSUSE-SU-2019:2251", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html" }, { "name": "openSUSE-SU-2019:2260", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@mozilla.org", "ID": "CVE-2019-11723", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Firefox", "version": { "version_data": [ { "version_affected": "\u003c", "version_value": "68" } ] } } ] }, "vendor_name": "Mozilla" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "A vulnerability exists during the installation of add-ons where the initial fetch ignored the origin attributes of the browsing context. This could leak cookies in private browsing mode or across different \"containers\" for people who use the Firefox Multi-Account Containers Web Extension. This vulnerability affects Firefox \u003c 68." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Cookie leakage during add-on fetching across private browsing boundaries" } ] } ] }, "references": { "reference_data": [ { "name": "https://www.mozilla.org/security/advisories/mfsa2019-21/", "refsource": "MISC", "url": "https://www.mozilla.org/security/advisories/mfsa2019-21/" }, { "name": "https://bugzilla.mozilla.org/show_bug.cgi?id=1528335", "refsource": "MISC", "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1528335" }, { "name": "GLSA-201908-12", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201908-12" }, { "name": "openSUSE-SU-2019:2248", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html" }, { "name": "openSUSE-SU-2019:2249", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html" }, { "name": "openSUSE-SU-2019:2251", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html" }, { "name": "openSUSE-SU-2019:2260", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html" } ] } } } }, "cveMetadata": { "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "assignerShortName": "mozilla", "cveId": "CVE-2019-11723", "datePublished": "2019-07-23T13:17:17", "dateReserved": "2019-05-03T00:00:00", "dateUpdated": "2024-08-04T23:03:32.559Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
Loading...
Loading...
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.