Vulnerabilities > CVE-2019-11754 - Unspecified vulnerability in Mozilla Firefox

047910
CVSS 4.3 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
PARTIAL
Availability impact
NONE
network
mozilla
nessus

Summary

When the pointer lock is enabled by a website though requestPointerLock(), no user notification is given. This could allow a malicious website to hijack the mouse pointer and confuse users. This vulnerability affects Firefox < 69.0.1.

Vulnerable Configurations

Part Description Count
Application
Mozilla
478

Nessus

  • NASL familyWindows
    NASL idMOZILLA_FIREFOX_69_0_1.NASL
    descriptionThe version of Firefox installed on the remote Windows host is prior to 69.0.1. It is, therefore, affected by the following vulnerability as referenced in the mfsa2019-31 advisory: - When the pointer lock is enabled by a website though requestPointerLock(), no user notification is given. This could allow a malicious website to hijack the mouse pointer and confuse users. Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id129101
    published2019-09-23
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129101
    titleMozilla Firefox < 69.0.1
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    # The descriptive text and package checks in this plugin were
    # extracted from Mozilla Foundation Security Advisory mfsa2019-31.
    # The text itself is copyright (C) Mozilla Foundation.
    
    include('compat.inc');
    
    if (description)
    {
      script_id(129101);
      script_version("1.7");
      script_cvs_date("Date: 2019/11/08");
    
      script_cve_id("CVE-2019-11754");
      script_xref(name:"MFSA", value:"2019-31");
    
      script_name(english:"Mozilla Firefox < 69.0.1");
      script_summary(english:"Checks version of Mozilla Firefox");
    
      script_set_attribute(attribute:"synopsis", value:
    "A web browser installed on the remote Windows host is affected by a vulnerability.");
      script_set_attribute(attribute:"description", value:
    "The version of Firefox installed on the remote Windows host is prior to 69.0.1. It is, therefore, affected by the
    following vulnerability as referenced in the mfsa2019-31 advisory:
    
      - When the pointer lock is enabled by a website though
        requestPointerLock(), no user notification is given.
        This could allow a malicious website to hijack the mouse
        pointer and confuse users.
    
    Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
    number.");
      script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2019-31/");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to Mozilla Firefox version 69.0.1 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-11754");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/09/18");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/09/18");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/09/23");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:mozilla:firefox");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows");
    
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("mozilla_org_installed.nasl");
      script_require_keys("Mozilla/Firefox/Version");
    
      exit(0);
    }
    
    include('mozilla_version.inc');
    
    port = get_kb_item('SMB/transport');
    if (!port) port = 445;
    
    installs = get_kb_list('SMB/Mozilla/Firefox/*');
    if (isnull(installs)) audit(AUDIT_NOT_INST, 'Firefox');
    
    mozilla_check_version(installs:installs, product:'firefox', esr:FALSE, fix:'69.0.1', severity:SECURITY_WARNING);
    
  • NASL familyMacOS X Local Security Checks
    NASL idMACOS_FIREFOX_69_0_1.NASL
    descriptionThe version of Firefox installed on the remote macOS or Mac OS X host is prior to 69.0.1. It is, therefore, affected by the following vulnerability as referenced in the mfsa2019-31 advisory: - When the pointer lock is enabled by a website though requestPointerLock(), no user notification is given. This could allow a malicious website to hijack the mouse pointer and confuse users. Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id129100
    published2019-09-23
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129100
    titleMozilla Firefox < 69.0.1
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-4140-1.NASL
    descriptionIt was discovered that no user notification was given when pointer lock is enabled. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to hijack the mouse pointer and confuse users. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id129385
    published2019-09-26
    reporterUbuntu Security Notice (C) 2019 Canonical, Inc. / NASL script (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129385
    titleUbuntu 16.04 LTS / 18.04 LTS / 19.04 : firefox vulnerability (USN-4140-1)