CVE-2019-11730
high-risk
Published 2019-07-23
A vulnerability exists where if a user opens a locally saved HTML file, this file can use file: URIs to access other files in the same directory or sub-directories if the names are known or guessed. The Fetch API can then be used to read the contents of any files stored in these directories and they may uploaded to a server. It was demonstrated that in combination with a popular Android messaging app, if a malicious HTML attachment is sent to a user and they opened that attachment in Firefox, due to that app's predictable pattern for locally-saved file names, it is possible to read attachments the victim received from other correspondents. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.
Do I need to act?
!
19.7% chance of exploitation in next 30 days
EPSS score — higher than 80% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.5/10
Medium
NETWORK
/ LOW complexity
Affected Products (7)
References (26)
Issue Tracking
https://bugzilla.mozilla.org/show_bug.cgi?id=1558299
Third Party Advisory
https://security.gentoo.org/glsa/201908-12
Third Party Advisory
https://security.gentoo.org/glsa/201908-20
Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2019-21/
Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2019-22/
Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2019-23/
Issue Tracking
https://bugzilla.mozilla.org/show_bug.cgi?id=1558299
and 6 more references
52
/ 100
high-risk
Severity
24/34 · High
Exploitability
14/34 · Moderate
Exposure
14/34 · Moderate