CVE-2019-11712Cross-Site Request Forgery in Mozilla Firefox

CWE-352Cross-Site Request ForgeryCWE-829Inclusion of Functionality from Untrusted Control Sphere12 documents7 sources
Severity
8.8HIGHNVD
OSV9.8
EPSS
0.4%
top 40.79%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
6
Mozilla FirefoxMozilla Firefox ESRMozilla Thunderbird+3 more
Timeline
PublishedJul 23
Latest updateMay 24

Description

POST requests made by NPAPI plugins, such as Flash, that receive a status 308 redirect response can bypass CORS requirements. This can allow an attacker to perform Cross-Site Request Forgery (CSRF) attacks. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages11 packages

debiandebian/firefox< firefox 68.0-1 (sid)
CVEListV5mozilla/firefoxunspecified68
NVDmozilla/firefox< 60.8.0+1
debiandebian/firefox-esr< firefox 68.0-1 (sid)
CVEListV5mozilla/firefox_esrunspecified60.8

🔴Vulnerability Details

5
GHSA
GHSA-f95x-f7xq-cfm6: POST requests made by NPAPI plugins, such as Flash, that receive a status 308 redirect response can bypass CORS requirements2022-05-24
OSV
firefox regressions2019-07-25
OSV
CVE-2019-11712: POST requests made by NPAPI plugins, such as Flash, that receive a status 308 redirect response can bypass CORS requirements2019-07-23
OSV
thunderbird vulnerabilities2019-07-17
OSV
firefox vulnerabilities2019-07-12

📋Vendor Advisories

5
Ubuntu
Firefox regressions2019-07-25
Ubuntu
Thunderbird vulnerabilities2019-07-17
Ubuntu
Firefox vulnerabilities2019-07-12
Red Hat
Mozilla: Cross-origin POST requests can be made with NPAPI plugins by following 308 redirects2019-07-10
Debian
CVE-2019-11712: firefox - POST requests made by NPAPI plugins, such as Flash, that receive a status 308 re...2019

💬Community

1
Bugzilla
CVE-2019-11712 Mozilla: Cross-origin POST requests can be made with NPAPI plugins by following 308 redirects2019-07-10