CVE-2019-11717

MEDIUM

Firefox ESR <60.8-Firefox <68-Thunderbird <60.8 - SSRF

Title source: llm

Description

A vulnerability exists where the caret ("^") character is improperly escaped constructing some URIs due to it being used as a separator, allowing for possible spoofing of origin attributes. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.

References (13)

[Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html

[Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.html

[Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00073.html

[Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html

[Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html

[Exploit, Issue Tracking, Vendor Advisory] https://bugzilla.mozilla.org/show_bug.cgi?id=1548306

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2019/08/msg00001.html

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2019/08/msg00002.html

[Third Party Advisory] https://security.gentoo.org/glsa/201908-12

[Third Party Advisory] https://security.gentoo.org/glsa/201908-20

[Vendor Advisory] https://www.mozilla.org/security/advisories/mfsa2019-21/

[Vendor Advisory] https://www.mozilla.org/security/advisories/mfsa2019-22/

[Vendor Advisory] https://www.mozilla.org/security/advisories/mfsa2019-23/

Scores

CVSS v3 5.3

EPSS 0.0469

EPSS Percentile 89.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Classification

CWE

CWE-116

Status published

Affected Products (6)

mozilla/firefox < 60.8.0

mozilla/thunderbird < 60.8.0

debian/debian_linux

novell/suse_package_hub_for_suse_linux_enterprise

opensuse/leap

opensuse/leap

Timeline

Published Jul 23, 2019

Tracked Since Feb 18, 2026