CVE-2019-11712

high
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

POST requests made by NPAPI plugins, such as Flash, that receive a status 308 redirect response can bypass CORS requirements. This can allow an attacker to perform Cross-Site Request Forgery (CSRF) attacks. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.

References

http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html

http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.html

http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00073.html

http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html

http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html

https://bugzilla.mozilla.org/show_bug.cgi?id=1543804

https://lists.debian.org/debian-lts-announce/2019/08/msg00001.html

https://lists.debian.org/debian-lts-announce/2019/08/msg00002.html

https://security.gentoo.org/glsa/201908-12

https://security.gentoo.org/glsa/201908-20

https://www.mozilla.org/security/advisories/mfsa2019-21/

https://www.mozilla.org/security/advisories/mfsa2019-22/

https://www.mozilla.org/security/advisories/mfsa2019-23/

Details

Source: MITRE

Published: 2019-07-23

Updated: 2019-07-29

Type: CWE-352

Risk Information

CVSS v2

Base Score: 6.8

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Impact Score: 6.4

Exploitability Score: 8.6

Severity: MEDIUM

CVSS v3

Base Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Impact Score: 5.9

Exploitability Score: 2.8

Severity: HIGH

Tenable Plugins

View all (59 total)

IDNameProductFamilySeverity
150682SUSE SLES11 Security Update : MozillaFirefox (SUSE-SU-2019:14124-1)NessusSuSE Local Security Checks
critical
145669CentOS 8 : thunderbird (CESA-2019:1799)NessusCentOS Local Security Checks
critical
145616CentOS 8 : firefox (CESA-2019:1764)NessusCentOS Local Security Checks
critical
134411NewStart CGSL MAIN 4.05 : firefox Multiple Vulnerabilities (NS-SA-2020-0017)NessusNewStart CGSL Local Security Checks
critical
134410NewStart CGSL MAIN 4.05 : thunderbird Multiple Vulnerabilities (NS-SA-2020-0022)NessusNewStart CGSL Local Security Checks
critical
131777NewStart CGSL MAIN 4.06 : thunderbird Multiple Vulnerabilities (NS-SA-2019-0212)NessusNewStart CGSL Local Security Checks
critical
131768NewStart CGSL MAIN 4.06 : firefox Multiple Vulnerabilities (NS-SA-2019-0210)NessusNewStart CGSL Local Security Checks
critical
129901NewStart CGSL CORE 5.04 / MAIN 5.04 : thunderbird Multiple Vulnerabilities (NS-SA-2019-0180)NessusNewStart CGSL Local Security Checks
critical
129899NewStart CGSL CORE 5.04 / MAIN 5.04 : firefox Multiple Vulnerabilities (NS-SA-2019-0181)NessusNewStart CGSL Local Security Checks
critical
129772SUSE SLED12 / SLES12 Security Update : MozillaFirefox (SUSE-SU-2019:2620-1)NessusSuSE Local Security Checks
high
129663openSUSE Security Update : MozillaThunderbird (openSUSE-2019-2249)NessusSuSE Local Security Checks
high
129662openSUSE Security Update : MozillaThunderbird (openSUSE-2019-2248)NessusSuSE Local Security Checks
high
128970Mozilla Thunderbird < 68.0NessusWindows
high
128969Mozilla Thunderbird < 68.0NessusMacOS X Local Security Checks
high
128968Virtuozzo 7 : firefox (VZLSA-2019-1763)NessusVirtuozzo Local Security Checks
critical
128704NewStart CGSL CORE 5.05 / MAIN 5.05 : thunderbird Multiple Vulnerabilities (NS-SA-2019-0170)NessusNewStart CGSL Local Security Checks
critical
128702NewStart CGSL CORE 5.05 / MAIN 5.05 : firefox Multiple Vulnerabilities (NS-SA-2019-0171)NessusNewStart CGSL Local Security Checks
critical
127969GLSA-201908-20 : Mozilla Thunderbird: Multiple vulnerabilitiesNessusGentoo Local Security Checks
critical
127961GLSA-201908-12 : Mozilla Firefox: Multiple vulnerabilitiesNessusGentoo Local Security Checks
critical
127733openSUSE Security Update : MozillaThunderbird (openSUSE-2019-1813)NessusSuSE Local Security Checks
critical
127731openSUSE Security Update : MozillaFirefox (openSUSE-2019-1811)NessusSuSE Local Security Checks
critical
127600Oracle Linux 8 : thunderbird (ELSA-2019-1799)NessusOracle Linux Local Security Checks
critical
127598Oracle Linux 8 : firefox (ELSA-2019-1764)NessusOracle Linux Local Security Checks
critical
127479Debian DLA-1870-1 : thunderbird security updateNessusDebian Local Security Checks
critical
127478Debian DLA-1869-1 : firefox-esr security updateNessusDebian Local Security Checks
critical
127093Ubuntu 16.04 LTS / 18.04 LTS / 19.04 : Firefox regressions (USN-4054-2)NessusUbuntu Local Security Checks
high
127030Oracle Linux 6 : thunderbird (ELSA-2019-1777)NessusOracle Linux Local Security Checks
critical
126912openSUSE Security Update : MozillaFirefox (openSUSE-2019-1782)NessusSuSE Local Security Checks
critical
126816Ubuntu 16.04 LTS / 18.04 LTS / 18.10 / 19.04 : Thunderbird vulnerabilities (USN-4064-1)NessusUbuntu Local Security Checks
critical
126810SUSE SLED15 / SLES15 Security Update : MozillaFirefox (SUSE-SU-2019:1869-1)NessusSuSE Local Security Checks
critical
126808SUSE SLED12 / SLES12 Security Update : MozillaFirefox (SUSE-SU-2019:1861-1)NessusSuSE Local Security Checks
critical
126792CentOS 6 : thunderbird (CESA-2019:1777)NessusCentOS Local Security Checks
critical
126791CentOS 7 : thunderbird (CESA-2019:1775)NessusCentOS Local Security Checks
critical
126762RHEL 8 : thunderbird (RHSA-2019:1799)NessusRed Hat Local Security Checks
critical
126714Scientific Linux Security Update : thunderbird on SL7.x x86_64 (20190715)NessusScientific Linux Local Security Checks
critical
126713Scientific Linux Security Update : thunderbird on SL6.x i386/x86_64 (20190715)NessusScientific Linux Local Security Checks
critical
126712RHEL 6 : thunderbird (RHSA-2019:1777)NessusRed Hat Local Security Checks
critical
126711RHEL 7 : thunderbird (RHSA-2019:1775)NessusRed Hat Local Security Checks
critical
126708Oracle Linux 7 : thunderbird (ELSA-2019-1775)NessusOracle Linux Local Security Checks
critical
126704Mozilla Thunderbird < 60.8NessusWindows
critical
126703Mozilla Thunderbird < 60.8NessusMacOS X Local Security Checks
critical
126698Ubuntu 16.04 LTS / 18.04 LTS / 18.10 / 19.04 : Firefox vulnerabilities (USN-4054-1)NessusUbuntu Local Security Checks
high
126684Scientific Linux Security Update : firefox on SL7.x x86_64 (20190711)NessusScientific Linux Local Security Checks
critical
126683Scientific Linux Security Update : firefox on SL6.x i386/x86_64 (20190711)NessusScientific Linux Local Security Checks
critical
126682RHEL 6 : firefox (RHSA-2019:1765)NessusRed Hat Local Security Checks
critical
126681RHEL 8 : firefox (RHSA-2019:1764)NessusRed Hat Local Security Checks
critical
126680RHEL 7 : firefox (RHSA-2019:1763)NessusRed Hat Local Security Checks
critical
126672Oracle Linux 6 : firefox (ELSA-2019-1765)NessusOracle Linux Local Security Checks
critical
126671Oracle Linux 7 : firefox (ELSA-2019-1763)NessusOracle Linux Local Security Checks
critical
126657Debian DSA-4482-1 : thunderbird - security updateNessusDebian Local Security Checks
critical
126654Debian DSA-4479-1 : firefox-esr - security updateNessusDebian Local Security Checks
critical
126651CentOS 6 : firefox (CESA-2019:1765)NessusCentOS Local Security Checks
critical
126650CentOS 7 : firefox (CESA-2019:1763)NessusCentOS Local Security Checks
critical
126624Mozilla Firefox ESR < 60.8NessusWindows
critical
126623Mozilla Firefox ESR < 60.8NessusMacOS X Local Security Checks
critical
126622Mozilla Firefox < 68.0NessusWindows
high
126621Mozilla Firefox < 68.0NessusMacOS X Local Security Checks
high
126614Slackware 14.2 / current : mozilla-firefox (SSA:2019-191-01)NessusSlackware Local Security Checks
critical
126592FreeBSD : mozilla -- multiple vulnerabilities (0592f49f-b3b8-4260-b648-d1718762656c)NessusFreeBSD Local Security Checks
high