CVE-2019-11712

HIGH

Firefox ESR < 60.8 & Firefox < 68 & Thunderbird < 60.8 - CSRF

Title source: llm
STIX 2.1

Description

POST requests made by NPAPI plugins, such as Flash, that receive a status 308 redirect response can bypass CORS requirements. This can allow an attacker to perform Cross-Site Request Forgery (CSRF) attacks. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.

References (13)

Core 13
Core References
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/201908-12
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/201908-20
Issue Tracking, Permissions Required, Vendor Advisory x_refsource_misc
https://bugzilla.mozilla.org/show_bug.cgi?id=1543804
Mailing List mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2019/08/msg00001.html
Mailing List mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2019/08/msg00002.html

Scores

CVSS v3 8.8
EPSS 0.0037
EPSS Percentile 58.9%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-352
Status published
Products (2)
mozilla/firefox < 60.8.0
mozilla/thunderbird < 60.8.0
Published Jul 23, 2019
Tracked Since Feb 18, 2026