First published: Tue Oct 22 2019(Updated: )
A vulnerability was found in Mozilla Firefox and Thunderbird. Privileged JSONView objects that have been cloned into content can be accessed using a form with a data URI. This flaw bypasses existing defense-in-depth mechanisms and can be exploited over the network.
Credit: security@mozilla.org security@mozilla.org
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/firefox | <0:68.2.0-4.el6_10 | 0:68.2.0-4.el6_10 |
redhat/thunderbird | <0:68.2.0-2.el6_10 | 0:68.2.0-2.el6_10 |
redhat/firefox | <0:68.2.0-1.el7_7 | 0:68.2.0-1.el7_7 |
redhat/thunderbird | <0:68.2.0-1.el7_7 | 0:68.2.0-1.el7_7 |
redhat/firefox | <0:68.2.0-2.el8_0 | 0:68.2.0-2.el8_0 |
redhat/thunderbird | <0:68.2.0-1.el8_0 | 0:68.2.0-1.el8_0 |
redhat/firefox | <68.2 | 68.2 |
redhat/thunderbird | <68.2 | 68.2 |
Mozilla Thunderbird | <68.2 | 68.2 |
Mozilla Firefox ESR | <68.2 | 68.2 |
Mozilla Firefox | <70 | 70 |
Mozilla Firefox | <70.0 | |
Mozilla Firefox ESR | <68.2 | |
Mozilla Thunderbird | <68.2 | |
Canonical Ubuntu Linux | =16.04 | |
debian/firefox | 133.0.3-1 | |
debian/firefox-esr | 115.14.0esr-1~deb11u1 128.5.0esr-1~deb11u1 128.3.1esr-1~deb12u1 128.5.0esr-1~deb12u1 128.5.0esr-1 128.5.1esr-1 | |
debian/thunderbird | 1:115.12.0-1~deb11u1 1:128.5.0esr-1~deb11u1 1:115.16.0esr-1~deb12u1 1:128.5.0esr-1~deb12u1 1:128.5.0esr-1 1:128.5.2esr-1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
(Found alongside the following vulnerabilities)
CVE-2019-11761 is a vulnerability that allows an attacker to gain access to the privileged JSONView object in Firefox and Thunderbird.
Exposing the privileged JSONView object could bypass existing defense mechanisms, although the impact appears to be minimal.
Firefox versions prior to 70 and Thunderbird versions prior to 68.2 are affected by CVE-2019-11761.
CVE-2019-11761 has a severity rating of medium, with a CVSS score of 5.4.
To fix CVE-2019-11761, users should update their Firefox and Thunderbird installations to versions 70 and 68.2, respectively.