CVE-2019-11761Race Condition in Mozilla Firefox

CWE-362Race ConditionCWE-862Missing AuthorizationCWE-749Exposed Dangerous Method or Function14 documents8 sources
Severity
5.4MEDIUMNVD
OSV8.8OSV7.5
EPSS
0.4%
top 36.67%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Mozilla ThunderbirdMozilla FirefoxMozilla Firefox ESR+1 more
Timeline
PublishedJan 8
Latest updateMay 24

Description

By using a form with a data URI it was possible to gain access to the privileged JSONView object that had been cloned into content. Impact from exposing this object appears to be minimal, however it was a bypass of existing defense in depth mechanisms. This vulnerability affects Firefox < 70, Thunderbird < 68.2, and Firefox ESR < 68.2.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.5

Affected Packages8 packages

NVDmozilla/firefox< 70.0
CVEListV5mozilla/firefoxbefore 70
CVEListV5mozilla/firefox_esrbefore 68.2

Also affects: Ubuntu Linux 16.04

🔴Vulnerability Details

6
GHSA
GHSA-44qm-5fqq-5hw7: By using a form with a data URI it was possible to gain access to the privileged JSONView object that had been cloned into content2022-05-24
OSV
thunderbird vulnerabilities2020-04-21
OSV
CVE-2019-11761: By using a form with a data URI it was possible to gain access to the privileged JSONView object that had been cloned into content2020-01-08
CVEList
CVE-2019-11761: By using a form with a data URI it was possible to gain access to the privileged JSONView object that had been cloned into content2020-01-08
OSV
thunderbird regression2019-12-10

📋Vendor Advisories

6
Ubuntu
Thunderbird vulnerabilities2020-04-21
Ubuntu
Thunderbird regression2019-12-10
Ubuntu
Thunderbird vulnerabilities2019-11-26
Ubuntu
Firefox vulnerabilities2019-10-23
Red Hat
Mozilla: Unintended access to a privileged JSONView object2019-10-22

💬Community

1
Bugzilla
CVE-2019-11761 Mozilla: Unintended access to a privileged JSONView object2019-10-23
CVE-2019-11761 — Race Condition in Mozilla Firefox | cvebase