CVE-2019-11742
First published: Tue Sep 03 2019(Updated: )
A same-origin policy violation occurs allowing the theft of cross-origin images through a combination of SVG filters and a <canvas> element due to an error in how same-origin policy is applied to cached image content. The resulting same-origin policy violation could allow for data theft. This vulnerability affects Firefox < 69, Thunderbird < 68.1, Thunderbird < 60.9, Firefox ESR < 60.9, and Firefox ESR < 68.1.
Credit: security@mozilla.org security@mozilla.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Mozilla Thunderbird | <68.1 | 68.1 |
| Mozilla Firefox ESR | <68.1 | 68.1 |
| Mozilla Firefox | <69.0 | |
| Mozilla Firefox ESR | <60.9.0 | |
| Mozilla Firefox ESR | >=68.0<68.1.0 | |
| Mozilla Thunderbird | <60.9.0 | |
| Mozilla Thunderbird | >=68.0<68.1.0 | |
| Mozilla Thunderbird | <60.9 | 60.9 |
| Mozilla Firefox | <69 | 69 |
| Mozilla Firefox ESR | <60.9 | 60.9 |
| debian/firefox | 132.0.2-1 | |
| debian/firefox-esr | 115.14.0esr-1~deb11u1 128.4.0esr-1~deb11u1 128.3.1esr-1~deb12u1 128.4.0esr-1~deb12u1 128.3.1esr-2 128.4.0esr-1 | |
| debian/thunderbird | 1:115.12.0-1~deb11u1 1:128.4.0esr-1~deb11u1 1:115.16.0esr-1~deb12u1 1:128.4.0esr-1~deb12u1 1:128.4.2esr-1 1:128.4.3esr-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.mozilla.org/show_bug.cgi?id=1559715
- https://www.mozilla.org/en-US/security/advisories/mfsa2019-30/
- https://www.mozilla.org/en-US/security/advisories/mfsa2019-26/
- http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html
- http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html
- http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html
- http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html
- https://security.gentoo.org/glsa/201911-07
- https://usn.ubuntu.com/4150-1/
- https://www.mozilla.org/security/advisories/mfsa2019-25/
- https://www.mozilla.org/security/advisories/mfsa2019-26/
- https://www.mozilla.org/security/advisories/mfsa2019-27/
- https://www.mozilla.org/security/advisories/mfsa2019-29/
- https://www.mozilla.org/security/advisories/mfsa2019-30/
- https://www.mozilla.org/en-US/security/advisories/mfsa2019-29/
- https://launchpad.net/bugs/cve/CVE-2019-11742
- https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/
- https://www.mozilla.org/en-US/security/advisories/mfsa2019-26/#CVE-2019-11750
- https://www.mozilla.org/en-US/security/advisories/mfsa2019-27/
- https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/#CVE-2019-11742
- https://www.mozilla.org/en-US/security/advisories/mfsa2019-26/#CVE-2019-11742
- https://www.mozilla.org/en-US/security/advisories/mfsa2019-27/#CVE-2019-11742
- https://www.mozilla.org/en-US/security/advisories/mfsa2019-29/#CVE-2019-11742
- https://security-tracker.debian.org/tracker/CVE-2019-11742
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11742
- https://nvd.nist.gov/vuln/detail/CVE-2019-11742
- https://ubuntu.com/security/CVE-2019-11742
Parent vulnerabilities
(Appears in the following advisories)
Peer vulnerabilities
(Found alongside the following vulnerabilities)
- CVE-2019-11739
- CVE-2019-11746
- CVE-2019-11744
- CVE-2019-11742
- CVE-2019-11752
- CVE-2019-11743
- CVE-2019-11740
- CVE-2019-11751
- CVE-2019-11736
- CVE-2019-11753
- CVE-2019-9812
- CVE-2019-11748
- CVE-2019-11749
- CVE-2019-11750
- CVE-2019-11738
- CVE-2019-11747
- CVE-2019-11735
- CVE-2019-11741
- CVE-2019-5849
- CVE-2019-11737
- CVE-2019-11734
- CVE-2019-11758
Frequently Asked Questions
What is CVE-2019-11742?
CVE-2019-11742 is a vulnerability that allows for the theft of cross-origin images through a combination of SVG filters and a <canvas> element due to an error in how same-origin policy is applied to cached image content.
How does CVE-2019-11742 work?
CVE-2019-11742 works by exploiting a same-origin policy violation that allows for the theft of cross-origin images using SVG filters and a <canvas> element.
Which software products are affected by CVE-2019-11742?
Mozilla Firefox ESR versions up to 68.1, Mozilla Firefox versions up to 69, Mozilla Thunderbird versions up to 60.9, and Mozilla Firefox ESR versions up to 68.1 are affected by CVE-2019-11742.
What is the severity of CVE-2019-11742?
CVE-2019-11742 has a severity rating of high with a value of 7.
How can CVE-2019-11742 be fixed?
To fix CVE-2019-11742, update Mozilla Firefox ESR to version 68.1 or later, update Mozilla Firefox to version 69 or later, update Mozilla Thunderbird to version 60.9 or later, or update Mozilla Firefox ESR to version 68.1 or later.
- agent/type
- agent/first-publish-date
- collector/mozilla-advisory
- source/Mozilla
- agent/software-canonical-lookup
- agent/weakness
- agent/severity
- agent/software-canonical-lookup-request
- collector/nvd-index
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- collector/launchpad-cve
- source/Launchpad
- agent/author
- collector/nvd-cve
- source/NVD
- collector/usn-cve
- source/Ubuntu
- agent/references
- agent/tags
- agent/description
- agent/event
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- agent/trending
- vendor/mozilla
- canonical/mozilla thunderbird
- canonical/mozilla firefox esr
- canonical/mozilla firefox
- version/mozilla firefox esr/68.0
- version/mozilla thunderbird/68.0
- package-manager/debian