CVE-2019-11733
published 2019-09-27CVE-2019-11733: When a master password is set, it is required to be entered again before stored passwords can be accessed in the 'Saved Logins' dialog. It was found that…
PriorityP341critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.41%
69.4th percentile
When a master password is set, it is required to be entered again before stored passwords can be accessed in the 'Saved Logins' dialog. It was found that locally stored passwords can be copied to the clipboard thorough the 'copy password' context menu item without re-entering the master password if the master password had been previously entered in the same session, allowing for potential theft of stored passwords. This vulnerability affects Firefox < 68.0.2 and Firefox ESR < 68.0.2.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | firefox | < firefox 68.0.2-1 (sid) | firefox 68.0.2-1 (sid) |
| mozilla | firefox | < 68.0.2 | 68.0.2 |
| mozilla | firefox | >= 0 < 68.0.2+build1-0ubuntu0.16.04.1 | 68.0.2+build1-0ubuntu0.16.04.1 |
| mozilla | firefox | >= 0 < 68.0.2+build1-0ubuntu0.18.04.1 | 68.0.2+build1-0ubuntu0.18.04.1 |
| mozilla | firefox | >= unspecified < 68.0.2 | 68.0.2 |
| mozilla | firefox_esr | >= unspecified < 68.0.2 | 68.0.2 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-pf22-jf54-7q9c: When a master password is set, it is required to be entered again before stored passwords can be accessed in the 'Saved Logins' dialog
ghsa_unreviewed·2022-05-24
CVE-2019-11733 [MEDIUM] CWE-287 GHSA-pf22-jf54-7q9c: When a master password is set, it is required to be entered again before stored passwords can be accessed in the 'Saved Logins' dialog
When a master password is set, it is required to be entered again before stored passwords can be accessed in the 'Saved Logins' dialog. It was found that locally stored passwords can be copied to the clipboard thorough the 'copy password' context menu item without re-entering the master password if the master password had been previously entered in the same session, allowing for potential theft of stored passwords. This vulnerability affects Firefox < 68.0.2 and Firefox ESR < 68.0.2.
OSV
CVE-2019-11733: When a master password is set, it is required to be entered again before stored passwords can be accessed in the 'Saved Logins' dialog
osv·2019-08-16·CVSS 9.8
CVE-2019-11733 [CRITICAL] CVE-2019-11733: When a master password is set, it is required to be entered again before stored passwords can be accessed in the 'Saved Logins' dialog
When a master password is set, it is required to be entered again before stored passwords can be accessed in the 'Saved Logins' dialog. It was found that locally stored passwords can be copied to the clipboard thorough the 'copy password' context menu item without re-entering the master password if the master password had been previously entered in the same session, allowing for potential theft of stored passwords. This vulnerability affects Firefox < 68.0.2 and Firefox ESR < 68.0.2.
Ubuntu
Firefox vulnerability
vendor_ubuntu·2019-08-16
CVE-2019-11733 Firefox vulnerability
Title: Firefox vulnerability
Summary: A local attacker could obtain saved passwords.
It was discovered that passwords could be copied to the clipboard from the
"Saved Logins" dialog without entering the master password, even when a
master password has been set. A local attacker could potentially exploit
this to obtain saved passwords.
Instructions: After a standard system update you need to restart Firefox to make
all the necessary changes.
Red Hat
firefox: stored passwords in 'Saved Logins' can be copied without master password entry
vendor_redhat·2019-08-14·CVSS 9.8
CVE-2019-11733 [CRITICAL] CWE-862 firefox: stored passwords in 'Saved Logins' can be copied without master password entry
firefox: stored passwords in 'Saved Logins' can be copied without master password entry
When a master password is set, it is required to be entered again before stored passwords can be accessed in the 'Saved Logins' dialog. It was found that locally stored passwords can be copied to the clipboard thorough the 'copy password' context menu item without re-entering the master password if the master password had been previously entered in the same session, allowing for potential theft of stored passwords. This vulnerability affects Firefox < 68.0.2 and Firefox ESR < 68.0.2.
Debian
CVE-2019-11733: firefox - When a master password is set, it is required to be entered again before stored ...
vendor_debian·2019·CVSS 9.8
CVE-2019-11733 [CRITICAL] CVE-2019-11733: firefox - When a master password is set, it is required to be entered again before stored ...
When a master password is set, it is required to be entered again before stored passwords can be accessed in the 'Saved Logins' dialog. It was found that locally stored passwords can be copied to the clipboard thorough the 'copy password' context menu item without re-entering the master password if the master password had been previously entered in the same session, allowing for potential theft of stored passwords. This vulnerability affects Firefox < 68.0.2 and Firefox ESR < 68.0.2.
Scope: local
sid: resolved (fixed in 68.0.2-1)
No detection rules found.
No public exploits indexed.
Bugzilla
Master password prompt gives the appearance of a security check, but can be bypassed once it was already unlocked
bugzilla·2020-01-12·CVSS 9.8
[CRITICAL] Master password prompt gives the appearance of a security check, but can be bypassed once it was already unlocked
Master password prompt gives the appearance of a security check, but can be bypassed once it was already unlocked
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0
Steps to reproduce:
1. Start Firefox (with a set up Master Password)
2. User enters the master password because he is forced by Firefox to enter it once initially at start
3. User uses his browser as usual
4. Attacker opens 'about:logins' and can reveal all saved passwords
Actual results:
The prompt for masterpassword makes the appearance that the passwords within 'about:logins' are somekind of protected.
But you can without entering the masterpassword and by not clicking on the "View Password"-Buttons do the following things:
- You can search for passwords with the search field
Bugzilla
CVE-2019-11733 firefox: stored passwords in 'Saved Logins' can be copied without master password entry [fedora-all]
bugzilla·2019-08-26·CVSS 9.8
CVE-2019-11733 [CRITICAL] CVE-2019-11733 firefox: stored passwords in 'Saved Logins' can be copied without master password entry [fedora-all]
CVE-2019-11733 firefox: stored passwords in 'Saved Logins' can be copied without master password entry [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this iss
Bugzilla
CVE-2019-11733 firefox: stored passwords in 'Saved Logins' can be copied without master password entry
bugzilla·2019-08-26·CVSS 9.8
CVE-2019-11733 [CRITICAL] CVE-2019-11733 firefox: stored passwords in 'Saved Logins' can be copied without master password entry
CVE-2019-11733 firefox: stored passwords in 'Saved Logins' can be copied without master password entry
When a master password is set, it is required to be entered again before stored passwords can be accessed in the 'Saved Logins' dialog. It was found that locally stored passwords can be copied to the clipboard thorough the 'copy password' context menu item without re-entering the master password if the master password had been previously entered in the same session, allowing for potential theft of stored passwords.
Discussion:
Created firefox tracking bugs for this issue:
Affects: fedora-all [bug 1745688]
---
External References:
https://www.mozilla.org/en-US/security/advisories/mfsa2019-24/
---
I am using 68.0.2 on F30 and I still see something I am not sure is correct.
What I
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.htmlhttps://bugzilla.mozilla.org/show_bug.cgi?id=1565780https://www.mozilla.org/security/advisories/mfsa2019-24/http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.htmlhttps://bugzilla.mozilla.org/show_bug.cgi?id=1565780https://www.mozilla.org/security/advisories/mfsa2019-24/
2019-09-27
Published