PT-2019-4827 · Mozilla+5 · Firefox+5

Niklas Baumstark

·

Published

2019-09-03

·

Updated

2024-12-12

·

CVE-2019-9812

CVSS v3.1

9.3

Critical

VectorAV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:H
Name of the Vulnerable Software and Affected Versions Firefox ESR versions prior to 60.9 Firefox ESR versions prior to 68.1 Firefox versions prior to 69
Description The issue allows an attacker to escape the sandbox of a compromised Firefox browser by loading accounts.firefox.com and forcing a log-in to a malicious Firefox Sync account. This can lead to preference settings that disable the sandbox being synchronized to the local machine, causing the compromised browser to restart without the sandbox if a crash is triggered. The vulnerability can be exploited remotely and may allow an attacker to compromise data integrity or cause a denial of service.
Recommendations For Firefox ESR versions prior to 60.9, update to version 60.9 or later to resolve the issue. For Firefox ESR versions prior to 68.1, update to version 68.1 or later to resolve the issue. For Firefox versions prior to 69, update to version 69 or later to resolve the issue.

Exploit

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

ALT-PU-2019-2640
ALT-PU-2019-2644
ALT-PU-2019-2686
ALT-PU-2020-1617
ALT-PU-2020-2408
ALT-PU-2020-2933
ALT-PU-2021-1368
BDU:2020-01411
CESA-2019_2663
CESA-2019_2694
CESA-2019_2729
CVE-2019-9812
DLA-1910-1
DSA-4516-1
MGASA-2019-0267
MGASA-2019-0268
OPENSUSE-SU-2019:2251-1
OPENSUSE-SU-2019:2260-1
OPENSUSE-SU-2019_2251-1
OPENSUSE-SU-2019_2260-1
OPENSUSE-SU-2024:10600-1
OPENSUSE-SU-2024:14572-1
RHSA-2019:2663
RHSA-2019:2694
RHSA-2019:2729
RHSA-2019_2663
RHSA-2019_2694
RHSA-2019_2729
SUSE-SU-2019:14173-1
SUSE-SU-2019:14246-1
SUSE-SU-2019:2436-1
SUSE-SU-2019:2545-1
SUSE-SU-2019:2620-1
SUSE-SU-2019_14173-1
SUSE-SU-2019_14246-1
USN-4122-1
USN-4122-2
ZDI-19-782

Affected Products

Alt Linux
Centos
Firefox
Red Hat
Suse
Ubuntu