CVE-2019-11751Argument Injection in Mozilla Firefox

CWE-88Argument InjectionCWE-77Command Injection7 documents6 sources
Severity
8.8HIGHNVD
EPSS
0.5%
top 33.98%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Mozilla FirefoxMozilla Firefox ESRDebian Firefox+1 more
Timeline
PublishedSep 27
Latest updateMay 24

Description

Logging-related command line parameters are not properly sanitized when Firefox is launched by another program, such as when a user clicks on malicious links in a chat application. This can be used to write a log file to an arbitrary location such as the Windows 'Startup' folder. *Note: this issue only affects Firefox on Windows operating systems.*. This vulnerability affects Firefox < 69 and Firefox ESR < 68.1.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages6 packages

CVEListV5mozilla/firefoxunspecified69
NVDmozilla/firefox< 69.0
CVEListV5mozilla/firefox_esrunspecified68.1
NVDmozilla/firefox_esr< 68.1.0

🔴Vulnerability Details

2
GHSA
GHSA-mm6c-gvcp-4p56: Logging-related command line parameters are not properly sanitized when Firefox is launched by another program, such as when a user clicks on maliciou2022-05-24
OSV
CVE-2019-11751: Logging-related command line parameters are not properly sanitized when Firefox is launched by another program, such as when a user clicks on maliciou2019-09-27

📋Vendor Advisories

2
Red Hat
Mozilla: Malicious code execution through command line parameters2019-09-03
Debian
CVE-2019-11751: firefox - Logging-related command line parameters are not properly sanitized when Firefox ...2019

💬Community

2
Bugzilla
CVE-2019-11751 Mozilla: Malicious code execution through command line parameters2019-09-04
Bugzilla
Firefox 69.0 is available2019-09-03