CVE-2019-11761
MEDIUMFirefox < 70, Thunderbird < 68.2, Firefox ESR < 68.2 - CSRF
Title source: llmDescription
By using a form with a data URI it was possible to gain access to the privileged JSONView object that had been cloned into content. Impact from exposing this object appears to be minimal, however it was a bypass of existing defense in depth mechanisms. This vulnerability affects Firefox < 70, Thunderbird < 68.2, and Firefox ESR < 68.2.
References (6)
Core 6
Core References
Vendor Advisory x_refsource_confirm
https://www.mozilla.org/security/advisories/mfsa2019-35/
Vendor Advisory x_refsource_confirm
https://www.mozilla.org/security/advisories/mfsa2019-33/
Vendor Advisory x_refsource_confirm
https://www.mozilla.org/security/advisories/mfsa2019-34/
Issue Tracking, Permissions Required x_refsource_confirm
https://bugzilla.mozilla.org/show_bug.cgi?id=1561502
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/202003-10
Third Party Advisory vendor-advisory
x_refsource_ubuntu
https://usn.ubuntu.com/4335-1/
Scores
CVSS v3
5.4
EPSS
0.0041
EPSS Percentile
61.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Details
CWE
CWE-862
CWE-362
Status
published
Products (4)
canonical/ubuntu_linux
16.04
mozilla/firefox
< 70.0
mozilla/firefox_esr
< 68.2
mozilla/thunderbird
< 68.2
Published
Jan 08, 2020
Tracked Since
Feb 18, 2026