Vulnerabilities > CVE-2019-9812 - Unspecified vulnerability in Mozilla Firefox

047910
CVSS 9.3 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
mozilla
critical
nessus

Summary

Given a compromised sandboxed content process due to a separate vulnerability, it is possible to escape that sandbox by loading accounts.firefox.com in that process and forcing a log-in to a malicious Firefox Sync account. Preference settings that disable the sandbox are then synchronized to the local machine and the compromised browser would restart without the sandbox if a crash is triggered. This vulnerability affects Firefox ESR < 60.9, Firefox ESR < 68.1, and Firefox < 69.

Vulnerable Configurations

Part Description Count
Application
Mozilla
759

Nessus

  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-2436-1.NASL
    descriptionThis update for MozillaFirefox to ESR 60.9 fixes the following issues : Security issues fixed : CVE-2019-11742: Fixed a same-origin policy violation involving SVG filters and canvas to steal cross-origin images. (bsc#1149303) CVE-2019-11746: Fixed a use-after-free while manipulating video. (bsc#1149297) CVE-2019-11744: Fixed an XSS caused by breaking out of title and textarea elements using innerHTML. (bsc#1149304) CVE-2019-11753: Fixed a privilege escalation with Mozilla Maintenance Service in custom Firefox installation location. (bsc#1149295) CVE-2019-11752: Fixed a use-after-free while extracting a key value in IndexedDB. (bsc#1149296) CVE-2019-11743: Fixed a timing side-channel attack on cross-origin information, utilizing unload event attributes. (bsc#1149298) CVE-2019-11740: Fixed several memory safety bugs. (bsc#1149299) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id129286
    published2019-09-24
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129286
    titleSUSE SLED12 / SLES12 Security Update : MozillaFirefox (SUSE-SU-2019:2436-1)
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2020-0017_FIREFOX.NASL
    descriptionThe remote NewStart CGSL host, running version MAIN 4.05, has firefox packages installed that are affected by multiple vulnerabilities: - Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the non-sandboxed parent process opening web content chosen by a compromised child process. When combined with additional vulnerabilities this could result in executing arbitrary code on the user
    last seen2020-03-18
    modified2020-03-11
    plugin id134411
    published2020-03-11
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/134411
    titleNewStart CGSL MAIN 4.05 : firefox Multiple Vulnerabilities (NS-SA-2020-0017)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2019-2694.NASL
    descriptionFrom Red Hat Security Advisory 2019:2694 : An update for firefox is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. [Updated 25 September 2019] Previously, this erratum was marked as having a security impact of Critical. This was incorrect; the security impact of this erratum has been changed to Important, to correctly reflect the highest impact rating of CVE fixes included in this release. No changes have been made to the packages. Mozilla Firefox is an open source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 60.9.0 ESR. Security Fix(es) : * Mozilla: Sandbox escape through Firefox Sync (CVE-2019-9812) * Mozilla: Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1, and Firefox ESR 60.9 (CVE-2019-11740) * Mozilla: Same-origin policy violation with SVG filters and canvas to steal cross-origin images (CVE-2019-11742) * Mozilla: XSS by breaking out of title and textarea elements using innerHTML (CVE-2019-11744) * Mozilla: Use-after-free while manipulating video (CVE-2019-11746) * Mozilla: Use-after-free while extracting a key value in IndexedDB (CVE-2019-11752) * firefox: stored passwords in
    last seen2020-05-31
    modified2019-09-11
    plugin id128656
    published2019-09-11
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128656
    titleOracle Linux 6 : firefox (ELSA-2019-2694)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-4516.NASL
    descriptionMultiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, cross-site scripting, bypass of the same-origin policy, sandbox escape, information disclosure or denial of service.
    last seen2020-06-01
    modified2020-06-02
    plugin id128534
    published2019-09-06
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128534
    titleDebian DSA-4516-1 : firefox-esr - security update
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2019-2694.NASL
    descriptionAn update for firefox is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. [Updated 25 September 2019] Previously, this erratum was marked as having a security impact of Critical. This was incorrect; the security impact of this erratum has been changed to Important, to correctly reflect the highest impact rating of CVE fixes included in this release. No changes have been made to the packages. Mozilla Firefox is an open source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 60.9.0 ESR. Security Fix(es) : * Mozilla: Sandbox escape through Firefox Sync (CVE-2019-9812) * Mozilla: Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1, and Firefox ESR 60.9 (CVE-2019-11740) * Mozilla: Same-origin policy violation with SVG filters and canvas to steal cross-origin images (CVE-2019-11742) * Mozilla: XSS by breaking out of title and textarea elements using innerHTML (CVE-2019-11744) * Mozilla: Use-after-free while manipulating video (CVE-2019-11746) * Mozilla: Use-after-free while extracting a key value in IndexedDB (CVE-2019-11752) * firefox: stored passwords in
    last seen2020-05-31
    modified2019-09-11
    plugin id128660
    published2019-09-11
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128660
    titleRHEL 6 : firefox (RHSA-2019:2694)
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0192_FIREFOX.NASL
    descriptionThe remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has firefox packages installed that are affected by multiple vulnerabilities: - When a master password is set, it is required to be entered again before stored passwords can be accessed in the
    last seen2020-06-01
    modified2020-06-02
    plugin id129926
    published2019-10-15
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129926
    titleNewStart CGSL CORE 5.04 / MAIN 5.04 : firefox Multiple Vulnerabilities (NS-SA-2019-0192)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2019-2663.NASL
    descriptionAn update for firefox is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. [Updated 24 September 2019] Previously, this erratum was marked as having a security impact of Critical. This was incorrect; the security impact of this erratum has been changed to Important, to correctly reflect the highest impact rating of CVE fixes included in this release. No changes have been made to the packages. Mozilla Firefox is an open source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 68.1.0 ESR. Security Fix(es) : * Mozilla: Sandbox escape through Firefox Sync (CVE-2019-9812) * Mozilla: Memory safety bugs fixed in Firefox 69 and Firefox ESR 68.1 (CVE-2019-11735) * Mozilla: Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1, and Firefox ESR 60.9 (CVE-2019-11740) * Mozilla: Same-origin policy violation with SVG filters and canvas to steal cross-origin images (CVE-2019-11742) * Mozilla: XSS by breaking out of title and textarea elements using innerHTML (CVE-2019-11744) * Mozilla: Use-after-free while manipulating video (CVE-2019-11746) * Mozilla: Use-after-free while extracting a key value in IndexedDB (CVE-2019-11752) * Mozilla: Cross-origin access to unload event attributes (CVE-2019-11743) * Mozilla: Persistence of WebRTC permissions in a third party context (CVE-2019-11748) * Mozilla: Camera information available without prompting using getUserMedia (CVE-2019-11749) * Mozilla: Type confusion in Spidermonkey (CVE-2019-11750) * Mozilla: Content security policy bypass through hash-based sources in directives (CVE-2019-11738) * Mozilla:
    last seen2020-05-31
    modified2019-09-05
    plugin id128517
    published2019-09-05
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128517
    titleRHEL 8 : firefox (RHSA-2019:2663)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_05463E0AABD34FA4BD5FCD5ED132D4C6.NASL
    descriptionMozilla Foundation reports : CVE-2019-11751: Malicious code execution through command line parameters CVE-2019-11746: Use-after-free while manipulating video CVE-2019-11744: XSS by breaking out of title and textarea elements using innerHTML CVE-2019-11742: Same-origin policy violation with SVG filters and canvas to steal cross-origin images CVE-2019-11736: File manipulation and privilege escalation in Mozilla Maintenance Service CVE-2019-11753: Privilege escalation with Mozilla Maintenance Service in custom Firefox installation location CVE-2019-11752: Use-after-free while extracting a key value in IndexedDB CVE-2019-9812: Sandbox escape through Firefox Sync CVE-2019-11741: Isolate addons.mozilla.org and accounts.firefox.com CVE-2019-11743: Cross-origin access to unload event attributes CVE-2019-11748: Persistence of WebRTC permissions in a third party context CVE-2019-11749: Camera information available without prompting using getUserMedia CVE-2019-5849: Out-of-bounds read in Skia CVE-2019-11750: Type confusion in Spidermonkey CVE-2019-11737: Content security policy directives ignore port and path if host is a wildcard CVE-2019-11738: Content security policy bypass through hash-based sources in directives CVE-2019-11747:
    last seen2020-06-01
    modified2020-06-02
    plugin id128491
    published2019-09-04
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128491
    titleFreeBSD : mozilla -- multiple vulnerabilities (05463e0a-abd3-4fa4-bd5f-cd5ed132d4c6)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2019-2251.NASL
    descriptionThis update for MozillaFirefox to 68.1 fixes the following issues : Security issues fixed : - CVE-2019-9811: Fixed a sandbox escape via installation of malicious language pack. (bsc#1140868) - CVE-2019-9812: Fixed a sandbox escape through Firefox Sync. (bsc#1149294) - CVE-2019-11710: Fixed several memory safety bugs. (bsc#1140868) - CVE-2019-11714: Fixed a potentially exploitable crash in Necko. (bsc#1140868) - CVE-2019-11716: Fixed a sandbox bypass. (bsc#1140868) - CVE-2019-11718: Fixed inadequate sanitation in the Activity Stream component. (bsc#1140868) - CVE-2019-11720: Fixed a character encoding XSS vulnerability. (bsc#1140868) - CVE-2019-11721: Fixed a homograph domain spoofing issue through unicode latin
    last seen2020-06-01
    modified2020-06-02
    plugin id129664
    published2019-10-07
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129664
    titleopenSUSE Security Update : MozillaFirefox (openSUSE-2019-2251)
  • NASL familyWindows
    NASL idMOZILLA_FIREFOX_69_0.NASL
    descriptionThe version of Firefox installed on the remote Windows host is prior to 69.0. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2019-25 advisory. Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id128525
    published2019-09-05
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128525
    titleMozilla Firefox < 69.0
  • NASL familyMacOS X Local Security Checks
    NASL idMACOS_FIREFOX_69_0.NASL
    descriptionThe version of Firefox installed on the remote macOS or Mac OS X host is prior to 69.0. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2019-25 advisory. Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id128524
    published2019-09-05
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128524
    titleMozilla Firefox < 69.0
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2019-2729.NASL
    descriptionFrom Red Hat Security Advisory 2019:2729 : An update for firefox is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. [Updated 25 September 2019] Previously, this erratum was marked as having a security impact of Critical. This was incorrect; the security impact of this erratum has been changed to Important, to correctly reflect the highest impact rating of CVE fixes included in this release. No changes have been made to the packages. Mozilla Firefox is an open source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 60.9.0 ESR. Security Fix(es) : * Mozilla: Sandbox escape through Firefox Sync (CVE-2019-9812) * Mozilla: Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1, and Firefox ESR 60.9 (CVE-2019-11740) * Mozilla: Same-origin policy violation with SVG filters and canvas to steal cross-origin images (CVE-2019-11742) * Mozilla: XSS by breaking out of title and textarea elements using innerHTML (CVE-2019-11744) * Mozilla: Use-after-free while manipulating video (CVE-2019-11746) * Mozilla: Use-after-free while extracting a key value in IndexedDB (CVE-2019-11752) * firefox: stored passwords in
    last seen2020-05-31
    modified2019-09-12
    plugin id128747
    published2019-09-12
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128747
    titleOracle Linux 7 : firefox (ELSA-2019-2729)
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0233_FIREFOX.NASL
    descriptionThe remote NewStart CGSL host, running version CORE 5.05 / MAIN 5.05, has firefox packages installed that are affected by multiple vulnerabilities: - When a master password is set, it is required to be entered again before stored passwords can be accessed in the
    last seen2020-06-01
    modified2020-06-02
    plugin id132503
    published2019-12-31
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/132503
    titleNewStart CGSL CORE 5.05 / MAIN 5.05 : firefox Multiple Vulnerabilities (NS-SA-2019-0233)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1910.NASL
    descriptionMultiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, cross-site scripting, bypass of the same-origin policy, sandbox escape, information disclosure or denial of service. For Debian 8
    last seen2020-06-01
    modified2020-06-02
    plugin id128555
    published2019-09-09
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128555
    titleDebian DLA-1910-1 : firefox-esr security update
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-2545-1.NASL
    descriptionThis update for MozillaFirefox to 68.1 fixes the following issues : Security issues fixed : CVE-2019-9811: Fixed a sandbox escape via installation of malicious language pack. (bsc#1140868) CVE-2019-9812: Fixed a sandbox escape through Firefox Sync. (bsc#1149294) CVE-2019-11710: Fixed several memory safety bugs. (bsc#1140868) CVE-2019-11714: Fixed a potentially exploitable crash in Necko. (bsc#1140868) CVE-2019-11716: Fixed a sandbox bypass. (bsc#1140868) CVE-2019-11718: Fixed inadequate sanitation in the Activity Stream component. (bsc#1140868) CVE-2019-11720: Fixed a character encoding XSS vulnerability. (bsc#1140868) CVE-2019-11721: Fixed a homograph domain spoofing issue through unicode latin
    last seen2020-06-01
    modified2020-06-02
    plugin id129583
    published2019-10-04
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129583
    titleSUSE SLED15 / SLES15 Security Update : MozillaFirefox (SUSE-SU-2019:2545-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-2620-1.NASL
    descriptionThis update for MozillaFirefox fixes the following issues : Updated to new ESR version 68.1 (bsc#1149323). In addition to the already fixed vulnerabilities released in previous ESR updates, the following were also fixed: CVE-2019-11751, CVE-2019-11736, CVE-2019-9812, CVE-2019-11748, CVE-2019-11749, CVE-2019-11750, CVE-2019-11738, CVE-2019-11747, CVE-2019-11735. Several run-time issues were also resolved (bsc#1117473, bsc#1124525, bsc#1133810). The version displayed in Help > About is now correct (bsc#1087200). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id129772
    published2019-10-10
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129772
    titleSUSE SLED12 / SLES12 Security Update : MozillaFirefox (SUSE-SU-2019:2620-1)
  • NASL familyWindows
    NASL idMOZILLA_FIREFOX_68_1_ESR.NASL
    descriptionThe version of Firefox ESR installed on the remote Windows host is prior to 68.1. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2019-26 advisory. Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id128528
    published2019-09-05
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128528
    titleMozilla Firefox ESR < 68.1
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-4122-1.NASL
    descriptionMultiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to obtain sensitive information, bypass Content Security Policy (CSP) protections, bypass same-origin restrictions, conduct cross-site scripting (XSS) attacks, cause a denial of service, or execute arbitrary code. (CVE-2019-5849, CVE-2019-11734, CVE-2019-11735, CVE-2019-11737, CVE-2019-11738, CVE-2019-11740, CVE-2019-11742, CVE-2019-11743, CVE-2019-11744, CVE-2019-11746, CVE-2019-11748, CVE-2019-11749, CVE-2019-11750, CVE-2019-11752) It was discovered that a compromised content process could log in to a malicious Firefox Sync account. An attacker could potentially exploit this, in combination with another vulnerability, to disable the sandbox. (CVE-2019-9812) It was discovered that addons.mozilla.org and accounts.firefox.com could be loaded in to the same content process. An attacker could potentially exploit this, in combination with another vulnerability that allowed a cross-site scripting (XSS) attack, to modify browser settings. (CVE-2019-11741) It was discovered that the
    last seen2020-06-01
    modified2020-06-02
    plugin id128521
    published2019-09-05
    reporterUbuntu Security Notice (C) 2019 Canonical, Inc. / NASL script (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128521
    titleUbuntu 16.04 LTS / 18.04 LTS / 19.04 : firefox vulnerabilities (USN-4122-1)
  • NASL familyWindows
    NASL idMOZILLA_FIREFOX_60_9_ESR.NASL
    descriptionThe version of Firefox ESR installed on the remote Windows host is prior to 60.9. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2019-27 advisory. Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-04-30
    modified2019-09-05
    plugin id128530
    published2019-09-05
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128530
    titleMozilla Firefox ESR < 60.9
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2019-2260.NASL
    descriptionThis update for MozillaFirefox to 68.1 fixes the following issues : Security issues fixed : - CVE-2019-9811: Fixed a sandbox escape via installation of malicious language pack. (bsc#1140868) - CVE-2019-9812: Fixed a sandbox escape through Firefox Sync. (bsc#1149294) - CVE-2019-11710: Fixed several memory safety bugs. (bsc#1140868) - CVE-2019-11714: Fixed a potentially exploitable crash in Necko. (bsc#1140868) - CVE-2019-11716: Fixed a sandbox bypass. (bsc#1140868) - CVE-2019-11718: Fixed inadequate sanitation in the Activity Stream component. (bsc#1140868) - CVE-2019-11720: Fixed a character encoding XSS vulnerability. (bsc#1140868) - CVE-2019-11721: Fixed a homograph domain spoofing issue through unicode latin
    last seen2020-06-01
    modified2020-06-02
    plugin id129665
    published2019-10-07
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129665
    titleopenSUSE Security Update : MozillaFirefox (openSUSE-2019-2260)
  • NASL familyMacOS X Local Security Checks
    NASL idMACOS_FIREFOX_60_9_ESR.NASL
    descriptionThe version of Firefox ESR installed on the remote macOS or Mac OS X host is prior to 60.9. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2019-27 advisory. Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-04-30
    modified2019-09-05
    plugin id128529
    published2019-09-05
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128529
    titleMozilla Firefox ESR < 60.9
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2019-2694.NASL
    descriptionAn update for firefox is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. [Updated 25 September 2019] Previously, this erratum was marked as having a security impact of Critical. This was incorrect; the security impact of this erratum has been changed to Important, to correctly reflect the highest impact rating of CVE fixes included in this release. No changes have been made to the packages. Mozilla Firefox is an open source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 60.9.0 ESR. Security Fix(es) : * Mozilla: Sandbox escape through Firefox Sync (CVE-2019-9812) * Mozilla: Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1, and Firefox ESR 60.9 (CVE-2019-11740) * Mozilla: Same-origin policy violation with SVG filters and canvas to steal cross-origin images (CVE-2019-11742) * Mozilla: XSS by breaking out of title and textarea elements using innerHTML (CVE-2019-11744) * Mozilla: Use-after-free while manipulating video (CVE-2019-11746) * Mozilla: Use-after-free while extracting a key value in IndexedDB (CVE-2019-11752) * firefox: stored passwords in
    last seen2020-06-01
    modified2020-06-02
    plugin id128976
    published2019-09-18
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128976
    titleCentOS 6 : firefox (CESA-2019:2694)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201911-07.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201911-07 (Mozilla Firefox: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Mozilla Firefox. Please review the CVE identifiers referenced below for details. Impact : Please review the referenced CVE identifiers for details. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id131267
    published2019-11-25
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/131267
    titleGLSA-201911-07 : Mozilla Firefox: Multiple vulnerabilities
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2019-2729.NASL
    descriptionAn update for firefox is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. [Updated 25 September 2019] Previously, this erratum was marked as having a security impact of Critical. This was incorrect; the security impact of this erratum has been changed to Important, to correctly reflect the highest impact rating of CVE fixes included in this release. No changes have been made to the packages. Mozilla Firefox is an open source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 60.9.0 ESR. Security Fix(es) : * Mozilla: Sandbox escape through Firefox Sync (CVE-2019-9812) * Mozilla: Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1, and Firefox ESR 60.9 (CVE-2019-11740) * Mozilla: Same-origin policy violation with SVG filters and canvas to steal cross-origin images (CVE-2019-11742) * Mozilla: XSS by breaking out of title and textarea elements using innerHTML (CVE-2019-11744) * Mozilla: Use-after-free while manipulating video (CVE-2019-11746) * Mozilla: Use-after-free while extracting a key value in IndexedDB (CVE-2019-11752) * firefox: stored passwords in
    last seen2020-05-31
    modified2019-09-16
    plugin id128853
    published2019-09-16
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128853
    titleRHEL 7 : firefox (RHSA-2019:2729)
  • NASL familyMacOS X Local Security Checks
    NASL idMACOS_FIREFOX_68_1_ESR.NASL
    descriptionThe version of Firefox ESR installed on the remote macOS or Mac OS X host is prior to 68.1. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2019-26 advisory. Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id128527
    published2019-09-05
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128527
    titleMozilla Firefox ESR < 68.1
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2019-2729.NASL
    descriptionAn update for firefox is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. [Updated 25 September 2019] Previously, this erratum was marked as having a security impact of Critical. This was incorrect; the security impact of this erratum has been changed to Important, to correctly reflect the highest impact rating of CVE fixes included in this release. No changes have been made to the packages. Mozilla Firefox is an open source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 60.9.0 ESR. Security Fix(es) : * Mozilla: Sandbox escape through Firefox Sync (CVE-2019-9812) * Mozilla: Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1, and Firefox ESR 60.9 (CVE-2019-11740) * Mozilla: Same-origin policy violation with SVG filters and canvas to steal cross-origin images (CVE-2019-11742) * Mozilla: XSS by breaking out of title and textarea elements using innerHTML (CVE-2019-11744) * Mozilla: Use-after-free while manipulating video (CVE-2019-11746) * Mozilla: Use-after-free while extracting a key value in IndexedDB (CVE-2019-11752) * firefox: stored passwords in
    last seen2020-06-01
    modified2020-06-02
    plugin id129023
    published2019-09-19
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129023
    titleCentOS 7 : firefox (CESA-2019:2729)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20190910_FIREFOX_ON_SL6_X.NASL
    descriptionThis update upgrades Firefox to version 60.9.0 ESR.&#13; &#13; Security Fix(es):&#13; &#13; - Mozilla: Sandbox escape through Firefox Sync (CVE-2019-9812)&#13; &#13; - Mozilla: Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1, and&#13; Firefox ESR 60.9 (CVE-2019-11740)&#13; &#13; - Mozilla: Same-origin policy violation with SVG filters and canvas to&#13; steal cross-origin images (CVE-2019-11742)&#13; &#13; - Mozilla: XSS by breaking out of title and textarea elements using&#13; innerHTML (CVE-2019-11744)&#13; &#13; - Mozilla: Use-after-free while manipulating video (CVE-2019-11746)&#13; &#13; - Mozilla: Use-after-free while extracting a key value in IndexedDB&#13; (CVE-2019-11752)&#13; &#13; - firefox: stored passwords in
    last seen2020-05-31
    modified2019-09-11
    plugin id128667
    published2019-09-11
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128667
    titleScientific Linux Security Update : firefox on SL6.x i386/x86_64 (20190910)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20190911_FIREFOX_ON_SL7_X.NASL
    descriptionSecurity Fix(es) : - Mozilla: Sandbox escape through Firefox Sync (CVE-2019-9812) - Mozilla: Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1, and Firefox ESR 60.9 (CVE-2019-11740) - Mozilla: Same-origin policy violation with SVG filters and canvas to steal cross-origin images (CVE-2019-11742) - Mozilla: XSS by breaking out of title and textarea elements using innerHTML (CVE-2019-11744) - Mozilla: Use-after-free while manipulating video (CVE-2019-11746) - Mozilla: Use-after-free while extracting a key value in IndexedDB (CVE-2019-11752) - firefox: stored passwords in
    last seen2020-05-31
    modified2019-09-16
    plugin id128861
    published2019-09-16
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128861
    titleScientific Linux Security Update : firefox on SL7.x x86_64 (20190911)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2019-2663.NASL
    descriptionFrom Red Hat Security Advisory 2019:2663 : An update for firefox is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. [Updated 24 September 2019] Previously, this erratum was marked as having a security impact of Critical. This was incorrect; the security impact of this erratum has been changed to Important, to correctly reflect the highest impact rating of CVE fixes included in this release. No changes have been made to the packages. Mozilla Firefox is an open source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 68.1.0 ESR. Security Fix(es) : * Mozilla: Sandbox escape through Firefox Sync (CVE-2019-9812) * Mozilla: Memory safety bugs fixed in Firefox 69 and Firefox ESR 68.1 (CVE-2019-11735) * Mozilla: Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1, and Firefox ESR 60.9 (CVE-2019-11740) * Mozilla: Same-origin policy violation with SVG filters and canvas to steal cross-origin images (CVE-2019-11742) * Mozilla: XSS by breaking out of title and textarea elements using innerHTML (CVE-2019-11744) * Mozilla: Use-after-free while manipulating video (CVE-2019-11746) * Mozilla: Use-after-free while extracting a key value in IndexedDB (CVE-2019-11752) * Mozilla: Cross-origin access to unload event attributes (CVE-2019-11743) * Mozilla: Persistence of WebRTC permissions in a third party context (CVE-2019-11748) * Mozilla: Camera information available without prompting using getUserMedia (CVE-2019-11749) * Mozilla: Type confusion in Spidermonkey (CVE-2019-11750) * Mozilla: Content security policy bypass through hash-based sources in directives (CVE-2019-11738) * Mozilla:
    last seen2020-05-31
    modified2019-09-09
    plugin id128599
    published2019-09-09
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128599
    titleOracle Linux 8 : firefox (ELSA-2019-2663)

Redhat

advisories
  • bugzilla
    id1748667
    titleCVE-2019-11750 Mozilla: Type confusion in Spidermonkey
    oval
    OR
    • commentRed Hat Enterprise Linux must be installed
      ovaloval:com.redhat.rhba:tst:20070304026
    • AND
      • commentRed Hat Enterprise Linux 8 is installed
        ovaloval:com.redhat.rhba:tst:20193384074
      • OR
        • AND
          • commentfirefox-debugsource is earlier than 0:68.1.0-1.el8_0
            ovaloval:com.redhat.rhsa:tst:20192663001
          • commentfirefox-debugsource is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190966002
        • AND
          • commentfirefox is earlier than 0:68.1.0-1.el8_0
            ovaloval:com.redhat.rhsa:tst:20192663003
          • commentfirefox is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20100861006
    rhsa
    idRHSA-2019:2663
    released2019-09-04
    severityImportant
    titleRHSA-2019:2663: firefox security update (Important)
  • bugzilla
    id1748660
    titleCVE-2019-9812 Mozilla: Sandbox escape through Firefox Sync
    oval
    OR
    • commentRed Hat Enterprise Linux must be installed
      ovaloval:com.redhat.rhba:tst:20070304026
    • AND
      • commentRed Hat Enterprise Linux 6 is installed
        ovaloval:com.redhat.rhba:tst:20111656003
      • commentfirefox is earlier than 0:60.9.0-1.el6_10
        ovaloval:com.redhat.rhsa:tst:20192694001
      • commentfirefox is signed with Red Hat redhatrelease2 key
        ovaloval:com.redhat.rhsa:tst:20100861006
    rhsa
    idRHSA-2019:2694
    released2019-09-12
    severityImportant
    titleRHSA-2019:2694: firefox security update (Important)
  • bugzilla
    id1748660
    titleCVE-2019-9812 Mozilla: Sandbox escape through Firefox Sync
    oval
    OR
    • commentRed Hat Enterprise Linux must be installed
      ovaloval:com.redhat.rhba:tst:20070304026
    • AND
      • commentRed Hat Enterprise Linux 7 is installed
        ovaloval:com.redhat.rhba:tst:20150364027
      • commentfirefox is earlier than 0:60.9.0-1.el7_7
        ovaloval:com.redhat.rhsa:tst:20192729001
      • commentfirefox is signed with Red Hat redhatrelease2 key
        ovaloval:com.redhat.rhsa:tst:20100861006
    rhsa
    idRHSA-2019:2729
    released2019-09-12
    severityImportant
    titleRHSA-2019:2729: firefox security update (Important)
rpms
  • firefox-0:68.1.0-1.el8_0
  • firefox-debuginfo-0:68.1.0-1.el8_0
  • firefox-debugsource-0:68.1.0-1.el8_0
  • firefox-0:60.9.0-1.el6_10
  • firefox-debuginfo-0:60.9.0-1.el6_10
  • firefox-0:60.9.0-1.el7_7
  • firefox-debuginfo-0:60.9.0-1.el7_7