CVE-2019-11721 — Encoding Error in Mozilla Firefox

CWE-172 — Encoding Error10 documents7 sources

Severity

6.5MEDIUMNVD

OSV9.8

EPSS

0.6%

top 31.31%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Debian Firefox Opensuse Leap

Timeline

PublishedJul 23

Latest updateMay 24

Description

The unicode latin 'kra' character can be used to spoof a standard 'k' character in the addressbar. This allows for domain spoofing attacks as do not display as punycode text, allowing for user confusion. This vulnerability affects Firefox < 68.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages5 packages

▶debiandebian/firefox< firefox 68.0-1 (sid)

▶CVEListV5mozilla/firefoxunspecified — 68

▶NVDmozilla/firefox< 68.0

▶Ubuntumozilla/firefox< 68.0+build3-0ubuntu0.16.04.1+3

▶NVDopensuse/leap15.0, 15.1+1

🔴Vulnerability Details

GHSA

GHSA-c59w-3gff-7wp9: The unicode latin 'kra' character can be used to spoof a standard 'k' character in the addressbar↗2022-05-24

▶

OSV

firefox regressions↗2019-07-25

▶

OSV

firefox vulnerabilities↗2019-07-12

▶

OSV

CVE-2019-11721: The unicode latin 'kra' character can be used to spoof a standard 'k' character in the addressbar↗2019-07-11

▶

📋Vendor Advisories

Ubuntu

Firefox regressions↗2019-07-25

▶

Ubuntu

Firefox vulnerabilities↗2019-07-12

▶

Red Hat

Mozilla: Domain spoofing through unicode latin 'kra' character↗2019-07-09

▶

Debian

CVE-2019-11721: firefox - The unicode latin 'kra' character can be used to spoof a standard 'k' character ...↗2019

▶

💬Community

Bugzilla

CVE-2019-11721 Mozilla: Domain spoofing through unicode latin 'kra' character↗2019-07-18

▶