CVE-2019-11698 — Improper Input Validation in Mozilla Firefox
Severity
5.3MEDIUMNVD
OSV9.8
EPSS
0.4%
top 40.54%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedJul 23
Latest updateMay 24
Description
If a crafted hyperlink is dragged and dropped to the bookmark bar or sidebar and the resulting bookmark is subsequently dragged and dropped into the web content area, an arbitrary query of a user's browser history can be run and transmitted to the content page via drop event data. This allows for the theft of browser history by a malicious site. This vulnerability affects Thunderbird < 60.7, Firefox < 67, and Firefox ESR < 60.7.
CVSS vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4
Affected Packages11 packages
🔴Vulnerability Details
6GHSA▶
GHSA-28hh-9xvh-vcr3: If a crafted hyperlink is dragged and dropped to the bookmark bar or sidebar and the resulting bookmark is subsequently dragged and dropped into the w↗2022-05-24
OSV▶
CVE-2019-11698: If a crafted hyperlink is dragged and dropped to the bookmark bar or sidebar and the resulting bookmark is subsequently dragged and dropped into the w↗2019-07-23
📋Vendor Advisories
6💬Community
1Bugzilla▶
CVE-2019-11698 Mozilla: Theft of user history data through drag and drop of hyperlinks to and from bookmarks↗2019-05-22