Permissions, Privileges, and Access Controls in Mozilla Firefox - CVE-2019-9801
Published: March 21, 2019 / Updated: March 21, 2019
Vulnerability identifier: #VU18039
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2019-9801
CWE-ID: CWE-264
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Mozilla
Affected software:
Mozilla Firefox
Mozilla Firefox
Detailed vulnerability description
The vulnerability allows a remote attacker to escalate privileges on the system.
The vulnerability exists due to Firefox accepts any registered Program ID as an external protocol handler and offer to launch this local application when given a matching URL on Windows operating systems. A remote attacker can trick the victim to open a specially crafted link and execute an arbitrary application on the system with privileges of the current user.
Note: this vulnerability affects Windows operating system only.
How to mitigate CVE-2019-9801
Install updates from vendor's website.