cbcvebase.
CVE-2019-11697
published 2019-07-23

CVE-2019-11697: If the ALT and "a" keys are pressed when users receive an extension installation prompt, the extension will be installed without the install prompt delay that…

PriorityP428medium6.5CVSS 3.0
AVNACLPRNUIRSUCNIHAN
EPSS
0.85%
53.6th percentile
If the ALT and "a" keys are pressed when users receive an extension installation prompt, the extension will be installed without the install prompt delay that keeps the prompt visible in order for users to accept or decline the installation. A malicious web page could use this with spoofing on the page to trick users into installing a malicious extension. This vulnerability affects Firefox < 67.

Affected

9 ranges
VendorProductVersion rangeFixed in
debianfirefox< firefox 67.0-2 (sid)firefox 67.0-2 (sid)
mozillafirefox< 67.067.0
mozillafirefox>= 0 < 67.0+build2-0ubuntu0.16.04.167.0+build2-0ubuntu0.16.04.1
mozillafirefox>= 0 < 67.0.2+build2-0ubuntu0.16.04.167.0.2+build2-0ubuntu0.16.04.1
mozillafirefox>= 0 < 67.0.1+build1-0ubuntu0.16.04.167.0.1+build1-0ubuntu0.16.04.1
mozillafirefox>= 0 < 67.0+build2-0ubuntu0.18.04.167.0+build2-0ubuntu0.18.04.1
mozillafirefox>= 0 < 67.0.2+build2-0ubuntu0.18.04.167.0.2+build2-0ubuntu0.18.04.1
mozillafirefox>= 0 < 67.0.1+build1-0ubuntu0.18.04.167.0.1+build1-0ubuntu0.18.04.1
mozillafirefox>= unspecified < 6767

CVSS provenance

nvdv3.06.5MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv9.8CRITICAL
vendor_ubuntu9.8CRITICAL
vendor_debian6.5MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.