CVE-2019-11765 — Incorrect Default Permissions in Mozilla Firefox

CWE-276 — Incorrect Default Permissions5 documents5 sources

Severity

6.5MEDIUMNVD

EPSS

0.3%

top 45.90%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Debian Firefox

Timeline

PublishedJan 8

Latest updateMay 24

Description

A compromised content process could send a message to the parent process that would cause the 'Click to Play' permission prompt to be shown. However, due to lack of validation from the parent process, if the user accepted the permission request an attacker-controlled permission would be granted rather than the 'Click to Play' permission. This vulnerability affects Firefox < 70.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages4 packages

▶debiandebian/firefox< firefox 70.0-1 (sid)

▶NVDmozilla/firefox< 70.0

▶Ubuntumozilla/firefox< 70.0+build2-0ubuntu0.16.04.1+2

▶CVEListV5mozilla/firefoxbefore 70

🔴Vulnerability Details

GHSA

GHSA-54vc-64p7-55q5: A compromised content process could send a message to the parent process that would cause the 'Click to Play' permission prompt to be shown↗2022-05-24

▶

OSV

CVE-2019-11765: A compromised content process could send a message to the parent process that would cause the 'Click to Play' permission prompt to be shown↗2019-10-23

▶

📋Vendor Advisories

Ubuntu

Firefox vulnerabilities↗2019-10-23

▶

Debian

CVE-2019-11765: firefox - A compromised content process could send a message to the parent process that wo...↗2019

▶