Permissions, Privileges, and Access Controls in Mozilla Firefox

#VU22169 Permissions, Privileges, and Access Controls in Mozilla Firefox

Published: 2019-10-23

Vulnerability identifier: #VU22169

Vulnerability risk: Medium

CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-11765

CWE-ID: CWE-264

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Mozilla Firefox
Client/Desktop applications / Web browsers

Vendor: Mozilla

Description

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to the way Firefox handles messages to the parent process that trigger the 'Click to Play' permission prompt to be shown. A remote attacker can create a specially crafted web page and assign arbitrary permissions instead of 'Click to Play' permission, if the user accepted the permission request.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Mozilla Firefox: 60.0 - 69.0.3

External links
http://www.mozilla.org/en-US/security/advisories/mfsa2019-34/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Arch Linux update for firefox

Ubuntu update for Firefox

Permissions, Privileges, and Access Controls in firefox (Alpine package)

Multiple vulnerabilities in Mozilla Firefox