CVE-2019-9794Argument Injection in Mozilla Firefox

CWE-88Argument InjectionCWE-20Improper Input Validation7 documents6 sources
Severity
9.8CRITICALNVD
EPSS
0.4%
top 38.10%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
6
Mozilla FirefoxMozilla Firefox ESRMozilla Thunderbird+3 more
Timeline
PublishedApr 26
Latest updateMay 24

Description

A vulnerability was discovered where specific command line arguments are not properly discarded during Firefox invocation as a shell handler for URLs. This could be used to retrieve and execute files whose location is supplied through these command line arguments if Firefox is configured as the default URI handler for a given URI scheme in third party applications and these applications insufficiently sanitize URL data. *Note: This issue only affects Windows operating systems. Other operating sy

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages8 packages

CVEListV5mozilla/firefoxunspecified66
NVDmozilla/firefox< 60.6.0+1
CVEListV5mozilla/firefox_esrunspecified60.6

🔴Vulnerability Details

2
GHSA
GHSA-2cx8-vq8f-mwm5: A vulnerability was discovered where specific command line arguments are not properly discarded during Firefox invocation as a shell handler for URLs2022-05-24
OSV
CVE-2019-9794: A vulnerability was discovered where specific command line arguments are not properly discarded during Firefox invocation as a shell handler for URLs2019-04-26

📋Vendor Advisories

2
Red Hat
Mozilla: Command line arguments not discarded during execution2019-03-20
Debian
CVE-2019-9794: firefox - A vulnerability was discovered where specific command line arguments are not pro...2019

💬Community

2
Bugzilla
File association Remote Code Execution via command line parameter injection in Firefox2020-01-02
Bugzilla
CVE-2019-9794 Mozilla: Command line arguments not discarded during execution2019-03-20