CVE-2019-11761

MEDIUM

Description

By using a form with a data URI it was possible to gain access to the privileged JSONView object that had been cloned into content. Impact from exposing this object appears to be minimal, however it was a bypass of existing defense in depth mechanisms. This vulnerability affects Firefox < 70, Thunderbird < 68.2, and Firefox ESR < 68.2.

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1561502

https://security.gentoo.org/glsa/202003-10

https://www.mozilla.org/security/advisories/mfsa2019-33/

https://www.mozilla.org/security/advisories/mfsa2019-34/

https://www.mozilla.org/security/advisories/mfsa2019-35/

Details

Source: MITRE

Published: 2020-01-08

Updated: 2020-03-14

Type: CWE-269

Risk Information

CVSS v2.0

Base Score: 5.8

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N

Impact Score: 4.9

Exploitability Score: 8.6

Severity: MEDIUM

CVSS v3.0

Base Score: 5.4

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Impact Score: 2.5

Exploitability Score: 2.8

Severity: MEDIUM