CVE-2019-11730

 

Published at: - 23-07-2019 04:15

Last modified: - 24-09-2022 03:03

Total changes: - 2

Description

A vulnerability exists where if a user opens a locally saved HTML file, this file can use file: URIs to access other files in the same directory or sub-directories if the names are known or guessed. The Fetch API can then be used to read the contents of any files stored in these directories and they may uploaded to a server. It was demonstrated that in combination with a popular Android messaging app, if a malicious HTML attachment is sent to a user and they opened that attachment in Firefox, due to that app's predictable pattern for locally-saved file names, it is possible to read attachments the victim received from other correspondents. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.

Common Vulnerability Scoring System (CVSS)

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

 

Verification logic

 

Reference

• https://www.mozilla.org/security/advisories/mfsa2019-21/
• https://www.mozilla.org/security/advisories/mfsa2019-22/
• https://bugzilla.mozilla.org/show_bug.cgi?id=1558299
• https://www.mozilla.org/security/advisories/mfsa2019-23/
• openSUSE-SU-2019:1811-Third Party Advisory
• openSUSE-SU-2019:1813-Third Party Advisory
• [debian-lts-announce] 20190802 [SECURITY] [DLA 1870-1] thunderbird security update-Third Party Advisory
• [debian-lts-announce] 20190802 [SECURITY] [DLA 1869-1] firefox-esr security update-Third Party Advisory
• GLSA-201908-12-
• GLSA-201908-20-
• openSUSE-SU-2019:1990-
• openSUSE-SU-2019:2249-
• openSUSE-SU-2019:2248-

 

Keywords

NVD

 

CVE-2019-11730

 

CVE

 

Common vulnerabilities & exposures

 

CVSS

 

Common vulnerability scoring system

 

Security

 

Vulnerabilities

 

Exposures