PT-2019-2958 · Mozilla+5 · Firefox Esr+7

Niklas Baumstark

·

Published

2019-07-09

·

Updated

2024-12-12

·

CVE-2019-9811

CVSS v3.1

8.3

High

VectorAV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Firefox ESR versions prior to 60.8 Firefox versions prior to 68 Thunderbird versions prior to 60.8
Description The issue is related to insufficient access control in Firefox ESR, Firefox, and the Thunderbird email client. It can be exploited by a remote attacker to cause a denial of service by loading a malicious language pack. A researcher demonstrated a sandbox escape by installing a malicious language pack and then opening a browser feature that used the compromised translation.
Recommendations For Firefox ESR versions prior to 60.8, update to version 60.8 or later to resolve the issue. For Firefox versions prior to 68, update to version 68 or later to resolve the issue. For Thunderbird versions prior to 60.8, update to version 60.8 or later to resolve the issue. As a temporary workaround, consider restricting the installation of language packs to minimize the risk of exploitation.

Exploit

Fix

Special Elements Injection

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-74CWE-264

Related Identifiers

ALT-PU-2019-2231
ALT-PU-2019-2233
ALT-PU-2019-2249
ALT-PU-2019-2259
ALT-PU-2019-2301
ALT-PU-2019-2324
ALT-PU-2019-2479
ALT-PU-2019-2486
ALT-PU-2020-1166
ALT-PU-2020-1515
BDU:2019-02933
CESA-2019_1763
CESA-2019_1764
CESA-2019_1765
CESA-2019_1775
CESA-2019_1777
CESA-2019_1799
CVE-2019-9811
DLA-1869-1
DLA-1870-1
DSA-4479-1
DSA-4482-1
MGASA-2019-0211
MGASA-2019-0212
MGASA-2019-0213
OPENSUSE-SU-2019:1782-1
OPENSUSE-SU-2019:1811-1
OPENSUSE-SU-2019:1813-1
OPENSUSE-SU-2019:1990-1
OPENSUSE-SU-2019:2251-1
OPENSUSE-SU-2019:2260-1
OPENSUSE-SU-2019_1782-1
OPENSUSE-SU-2019_1811-1
OPENSUSE-SU-2019_1813-1
OPENSUSE-SU-2019_2251-1
OPENSUSE-SU-2019_2260-1
OPENSUSE-SU-2024:10600-1
OPENSUSE-SU-2024:10601-1
OPENSUSE-SU-2024:14572-1
RHSA-2019:1763
RHSA-2019:1764
RHSA-2019:1765
RHSA-2019:1775
RHSA-2019:1777
RHSA-2019:1799
RHSA-2019_1763
RHSA-2019_1764
RHSA-2019_1765
RHSA-2019_1775
RHSA-2019_1777
RHSA-2019_1799
SUSE-SU-2019:14124-1
SUSE-SU-2019:14246-1
SUSE-SU-2019:1861-1
SUSE-SU-2019:1861-2
SUSE-SU-2019:1861-3
SUSE-SU-2019:1869-1
SUSE-SU-2019:1960-1
SUSE-SU-2019:2545-1
SUSE-SU-2019:2620-1
SUSE-SU-2019_14124-1
SUSE-SU-2019_14246-1
USN-4054-1
USN-4054-2
USN-4064-1
ZDI-19-657

Affected Products

Alt Linux
Centos
Firefox
Firefox Esr
Red Hat
Suse
Thunderbird
Ubuntu