First published: Tue Mar 19 2019(Updated: )
Firefox will accept any registered Program ID as an external protocol handler and offer to launch this local application when given a matching URL on Windows operating systems. This should only happen if the program has specifically registered itself as a "URL Handler" in the Windows registry. Note: This issue only affects Windows operating systems. Other operating systems are unaffected.
Credit: security@mozilla.org security@mozilla.org
Affected Software | Affected Version | How to fix |
---|---|---|
Mozilla Thunderbird | <60.6 | 60.6 |
Mozilla Firefox ESR | <60.6 | 60.6 |
Mozilla Firefox | <66 | 66 |
Mozilla Firefox | <66.0 | |
Mozilla Firefox ESR | <60.6 | |
Mozilla Thunderbird | <60.6 | |
Microsoft Windows | ||
All of | ||
Any of | ||
Mozilla Firefox | <66.0 | |
Mozilla Firefox ESR | <60.6 | |
Mozilla Thunderbird | <60.6 | |
Microsoft Windows |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Found alongside the following vulnerabilities)
CVE-2019-9801 is a vulnerability in Firefox and Thunderbird that allows any registered Program ID to be accepted as an external protocol handler on Windows operating systems.
Mozilla Firefox versions up to and including 66 are affected by CVE-2019-9801.
Mozilla Thunderbird versions up to and including 60.6 are affected by CVE-2019-9801.
CVE-2019-9801 has a severity rating of 5.3 (Medium).
Update Mozilla Firefox to version 66 or later, or update Mozilla Thunderbird to version 60.6 or later to mitigate CVE-2019-9801.