CVE-2019-11747

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

The "Forget about this site" feature in the History pane is intended to remove all saved user data that indicates a user has visited a site. This includes removing any HTTP Strict Transport Security (HSTS) settings received from sites that use it. Due to a bug, sites on the pre-load list also have their HSTS setting removed. On the next visit to that site if the user specifies an http: URL rather than secure https: they will not be protected by the pre-loaded HSTS setting. After that visit the site's HSTS setting will be restored. This vulnerability affects Firefox < 69 and Firefox ESR < 68.1.

References

http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html

http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html

https://bugzilla.mozilla.org/show_bug.cgi?id=1564481

https://www.mozilla.org/security/advisories/mfsa2019-25/

https://www.mozilla.org/security/advisories/mfsa2019-26/

Details

Source: MITRE

Published: 2019-09-27

Updated: 2019-10-05

Type: CWE-665

Risk Information

CVSS v2

Base Score: 4.3

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

Impact Score: 2.9

Exploitability Score: 8.6

Severity: MEDIUM

CVSS v3

Base Score: 6.5

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Impact Score: 3.6

Exploitability Score: 2.8

Severity: MEDIUM

Tenable Plugins

View all (13 total)

IDNameProductFamilySeverity
145625CentOS 8 : firefox (CESA-2019:2663)NessusCentOS Local Security Checks
high
129772SUSE SLED12 / SLES12 Security Update : MozillaFirefox (SUSE-SU-2019:2620-1)NessusSuSE Local Security Checks
high
129665openSUSE Security Update : MozillaFirefox (openSUSE-2019-2260)NessusSuSE Local Security Checks
high
129664openSUSE Security Update : MozillaFirefox (openSUSE-2019-2251)NessusSuSE Local Security Checks
high
129583SUSE SLED15 / SLES15 Security Update : MozillaFirefox (SUSE-SU-2019:2545-1)NessusSuSE Local Security Checks
high
128599Oracle Linux 8 : firefox (ELSA-2019-2663)NessusOracle Linux Local Security Checks
high
128528Mozilla Firefox ESR < 68.1NessusWindows
high
128527Mozilla Firefox ESR < 68.1NessusMacOS X Local Security Checks
high
128525Mozilla Firefox < 69.0NessusWindows
high
128524Mozilla Firefox < 69.0NessusMacOS X Local Security Checks
high
128521Ubuntu 16.04 LTS / 18.04 LTS / 19.04 : firefox vulnerabilities (USN-4122-1)NessusUbuntu Local Security Checks
high
128517RHEL 8 : firefox (RHSA-2019:2663)NessusRed Hat Local Security Checks
high
128491FreeBSD : mozilla -- multiple vulnerabilities (05463e0a-abd3-4fa4-bd5f-cd5ed132d4c6)NessusFreeBSD Local Security Checks
high