SB2019102426 - Permissions, Privileges, and Access Controls in firefox (Alpine package)

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2019102426

SB2019102426 - Permissions, Privileges, and Access Controls in firefox (Alpine package)

Published: October 24, 2019

Security Bulletin ID SB2019102426
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 1
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 vulnerability.


1) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2019-11765)

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to the way Firefox handles messages to the parent process that trigger the 'Click to Play' permission prompt to be shown. A remote attacker can create a specially crafted web page and assign arbitrary permissions instead of 'Click to Play' permission, if the user accepted the permission request.



Remediation

Install update from vendor's website.

References