CVE-2019-11765
published 2020-01-08CVE-2019-11765: A compromised content process could send a message to the parent process that would cause the 'Click to Play' permission prompt to be shown. However, due to…
PriorityP429medium6.5CVSS 3.1
AVNACLPRNUIRSUCNIHAN
EPSS
0.84%
53.5th percentile
A compromised content process could send a message to the parent process that would cause the 'Click to Play' permission prompt to be shown. However, due to lack of validation from the parent process, if the user accepted the permission request an attacker-controlled permission would be granted rather than the 'Click to Play' permission. This vulnerability affects Firefox < 70.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | firefox | < firefox 70.0-1 (sid) | firefox 70.0-1 (sid) |
| mozilla | firefox | < 70.0 | 70.0 |
| mozilla | firefox | — | — |
| mozilla | firefox | >= 0 < 70.0+build2-0ubuntu0.16.04.1 | 70.0+build2-0ubuntu0.16.04.1 |
| mozilla | firefox | >= 0 < 70.0+build2-0ubuntu0.18.04.1 | 70.0+build2-0ubuntu0.18.04.1 |
| mozilla | firefox | >= 0 < 70.0+build2-0ubuntu1 | 70.0+build2-0ubuntu1 |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv6.5MEDIUM
vendor_debian6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Firefox vulnerabilities
vendor_ubuntu·2019-10-23
CVE-2018-6156 Firefox vulnerabilities
Title: Firefox vulnerabilities
Summary: Firefox could be made to crash or run programs as your login if it
opened a malicious website.
Multiple security issues were discovered in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, bypass security
restrictions, bypass same-origin restrictions, conduct cross-site
scripting (XSS) attacks, bypass content security policy (CSP) protections,
or execute arbitrary code.
Instructions: After a standard system update you need to restart Firefox to make
all the necessary changes.
Debian
CVE-2019-11765: firefox - A compromised content process could send a message to the parent process that wo...
vendor_debian·2019·CVSS 6.5
CVE-2019-11765 [MEDIUM] CVE-2019-11765: firefox - A compromised content process could send a message to the parent process that wo...
A compromised content process could send a message to the parent process that would cause the 'Click to Play' permission prompt to be shown. However, due to lack of validation from the parent process, if the user accepted the permission request an attacker-controlled permission would be granted rather than the 'Click to Play' permission. This vulnerability affects Firefox < 70.
Scope: local
sid: resolved (fixed in 70.0-1)
GHSA
GHSA-54vc-64p7-55q5: A compromised content process could send a message to the parent process that would cause the 'Click to Play' permission prompt to be shown
ghsa_unreviewed·2022-05-24
CVE-2019-11765 [MEDIUM] GHSA-54vc-64p7-55q5: A compromised content process could send a message to the parent process that would cause the 'Click to Play' permission prompt to be shown
A compromised content process could send a message to the parent process that would cause the 'Click to Play' permission prompt to be shown. However, due to lack of validation from the parent process, if the user accepted the permission request an attacker-controlled permission would be granted rather than the 'Click to Play' permission. This vulnerability affects Firefox < 70.
OSV
CVE-2019-11765: A compromised content process could send a message to the parent process that would cause the 'Click to Play' permission prompt to be shown
osv·2019-10-23·CVSS 6.5
CVE-2019-11765 [MEDIUM] CVE-2019-11765: A compromised content process could send a message to the parent process that would cause the 'Click to Play' permission prompt to be shown
A compromised content process could send a message to the parent process that would cause the 'Click to Play' permission prompt to be shown. However, due to lack of validation from the parent process, if the user accepted the permission request an attacker-controlled permission would be granted rather than the 'Click to Play' permission. This vulnerability affects Firefox < 70.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2020-01-08
Published