CVE-2019-9803

HIGH

Firefox < 66 - Info Disclosure

Title source: llm

Description

The Upgrade-Insecure-Requests (UIR) specification states that if UIR is enabled through Content Security Policy (CSP), navigation to a same-origin URL must be upgraded to HTTPS. Firefox will incorrectly navigate to an HTTP URL rather than perform the security upgrade requested by the CSP in some circumstances, allowing for potential man-in-the-middle attacks on the linked resources. This vulnerability affects Firefox < 66.

References (4)

[Issue Tracking, Vendor Advisory] https://bugzilla.mozilla.org/show_bug.cgi?id=1437009

[Issue Tracking, Permissions Required, Vendor Advisory] https://bugzilla.mozilla.org/show_bug.cgi?id=1515863

[Third Party Advisory] https://w3c.github.io/webappsec-upgrade-insecure-requests/

[Vendor Advisory] https://www.mozilla.org/security/advisories/mfsa2019-07/

Scores

CVSS v3 7.4

EPSS 0.0013

EPSS Percentile 31.9%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Classification

CWE

CWE-346

Status published

Affected Products (1)

mozilla/firefox < 66.0

Timeline

Published Apr 26, 2019

Tracked Since Feb 18, 2026