cbcvebase.
CVE-2019-11695
published 2019-07-23

CVE-2019-11695: A custom cursor defined by scripting on a site can position itself over the addressbar to spoof the actual cursor when it should not be allowed outside of the…

PriorityP277medium4.3CVSS 3.0
AVNACLPRNUIRSUCNILAN
ITWVulnCheck KEV
Exploited in the wild
EPSS
0.74%
49.9th percentile
A custom cursor defined by scripting on a site can position itself over the addressbar to spoof the actual cursor when it should not be allowed outside of the primary web content area. This could be used by a malicious site to trick users into clicking on permission prompts, doorhanger notifications, or other buttons inadvertently if the location is spoofed over the user interface. This vulnerability affects Firefox < 67.

Affected

9 ranges
VendorProductVersion rangeFixed in
debianfirefox< firefox 67.0-2 (sid)firefox 67.0-2 (sid)
mozillafirefox< 67.067.0
mozillafirefox>= 0 < 67.0+build2-0ubuntu0.16.04.167.0+build2-0ubuntu0.16.04.1
mozillafirefox>= 0 < 67.0.2+build2-0ubuntu0.16.04.167.0.2+build2-0ubuntu0.16.04.1
mozillafirefox>= 0 < 67.0.1+build1-0ubuntu0.16.04.167.0.1+build1-0ubuntu0.16.04.1
mozillafirefox>= 0 < 67.0+build2-0ubuntu0.18.04.167.0+build2-0ubuntu0.18.04.1
mozillafirefox>= 0 < 67.0.2+build2-0ubuntu0.18.04.167.0.2+build2-0ubuntu0.18.04.1
mozillafirefox>= 0 < 67.0.1+build1-0ubuntu0.18.04.167.0.1+build1-0ubuntu0.18.04.1
mozillafirefox>= unspecified < 6767

Detection & IOCsextracted from sources · hover to see the quote

  • A malicious site uses a scripted custom CSS cursor positioned outside the primary web content area, overlapping the browser address bar or UI elements (permission prompts, doorhanger notifications) to spoof the real cursor and trick user clicks.
  • Target Firefox versions strictly below 67 are vulnerable; presence of Firefox < 67 in the environment indicates exposure to this cursor-spoofing UI redress attack.
  • ·The vulnerability is scoped as local exploitation; the fix was shipped in Firefox 67.0-2 on Debian sid. Environments still running Firefox < 67 remain exposed.

CVSS provenance

nvdv3.04.3MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv9.8CRITICAL
vulncheck4.3MEDIUM
vendor_ubuntu9.8CRITICAL
vendor_debian4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.