CVE-2019-11702 — Missing Authorization in Mozilla Firefox

CWE-862 — Missing Authorization CWE-552 — Files or Directories Accessible to External Parties5 documents5 sources

Severity

6.5MEDIUMNVD

EPSS

0.4%

top 40.56%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Debian Firefox

Timeline

PublishedJul 23

Latest updateMay 24

Description

A hyperlink using protocols associated with Internet Explorer, such as IE.HTTP:, can be used to open local files at a known location with Internet Explorer if a user approves execution when prompted. *Note: this issue only occurs on Windows. Other operating systems are unaffected.*. This vulnerability affects Firefox < 67.0.2.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶CVEListV5mozilla/firefoxunspecified — 67.0.2

▶NVDmozilla/firefox< 67.0.2

▶debiandebian/firefox

🔴Vulnerability Details

GHSA

GHSA-wm33-w546-hfhw: A hyperlink using protocols associated with Internet Explorer, such as IE↗2022-05-24

▶

📋Vendor Advisories

Red Hat

Mozilla: IE protocols can be used to open known local files↗2019-06-11

▶

Debian

CVE-2019-11702: firefox - A hyperlink using protocols associated with Internet Explorer, such as IE.HTTP:,...↗2019

▶

💬Community

Bugzilla

CVE-2019-11702 Mozilla: IE protocols can be used to open known local files↗2019-06-19

▶