CVE-2019-11761
Mozilla: Unintended access to a privileged JSONView object
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
By using a form with a data URI it was possible to gain access to the privileged JSONView object that had been cloned into content. Impact from exposing this object appears to be minimal, however it was a bypass of existing defense in depth mechanisms. This vulnerability affects Firefox < 70, Thunderbird < 68.2, and Firefox ESR < 68.2.
Mediante el uso de un formulario con un URI de datos, fue posible conseguir acceso al objeto JSONView privilegiado que había sido clonado en contenido. El impacto de exponer este objeto parece ser mínimo, sin embargo, fue una omisión de los mecanismos de defensa existentes en profundidad. Esta vulnerabilidad afecta a Firefox versiones anteriores a la versión 70, Thunderbird versiones anteriores a la versión 68.2 y Firefox ESR versiones anteriores a la versión 68.2.
A vulnerability was found in Mozilla Firefox and Thunderbird. Privileged JSONView objects that have been cloned into content can be accessed using a form with a data URI. This flaw bypasses existing defense-in-depth mechanisms and can be exploited over the network.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2019-05-03 CVE Reserved
- 2019-10-23 CVE Published
- 2024-05-03 EPSS Updated
- 2024-08-04 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
- CWE-749: Exposed Dangerous Method or Function
- CWE-862: Missing Authorization
CAPEC
References (7)
URL | Tag | Source |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://security.gentoo.org/glsa/202003-10 | 2023-02-01 | |
https://usn.ubuntu.com/4335-1 | 2023-02-01 | |
https://www.mozilla.org/security/advisories/mfsa2019-33 | 2023-02-01 | |
https://www.mozilla.org/security/advisories/mfsa2019-34 | 2023-02-01 | |
https://www.mozilla.org/security/advisories/mfsa2019-35 | 2023-02-01 | |
https://access.redhat.com/security/cve/CVE-2019-11761 | 2019-11-06 | |
https://bugzilla.redhat.com/show_bug.cgi?id=1764442 | 2019-11-06 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Mozilla Search vendor "Mozilla" | Firefox Search vendor "Mozilla" for product "Firefox" | < 70.0 Search vendor "Mozilla" for product "Firefox" and version " < 70.0" | - |
Affected
| ||||||
Mozilla Search vendor "Mozilla" | Firefox Esr Search vendor "Mozilla" for product "Firefox Esr" | < 68.2 Search vendor "Mozilla" for product "Firefox Esr" and version " < 68.2" | - |
Affected
| ||||||
Mozilla Search vendor "Mozilla" | Thunderbird Search vendor "Mozilla" for product "Thunderbird" | < 68.2 Search vendor "Mozilla" for product "Thunderbird" and version " < 68.2" | - |
Affected
| ||||||
Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 16.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04" | esm |
Affected
|