CVE-2019-11711 — HIGH (8.8)

Q: How severe is CVE-2019-11711?

CVE-2019-11711 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2019-11711?

Check the references section above for vendor advisories and patch information. Affected products include: Mozilla Firefox, Mozilla Thunderbird, Debian Debian Linux.

Vulnerability Description

When an inner window is reused, it does not consider the use of document.domain for cross-origin protections. If pages on different subdomains ever cooperatively use document.domain, then either page can abuse this to inject script into arbitrary pages on the other subdomain, even those that did not use document.domain to relax their origin security. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.

CVSS Score

8.8

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Mozilla	Firefox	< 60.8.0
Mozilla	Thunderbird	< 60.8.0
Debian	Debian Linux	8.0

References

http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.htmlBroken Link
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.htmlBroken Link
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00073.htmlBroken Link
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.htmlBroken Link
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.htmlBroken Link
https://bugzilla.mozilla.org/show_bug.cgi?id=1552541Issue TrackingPermissions RequiredVendor Advisory
https://lists.debian.org/debian-lts-announce/2019/08/msg00001.htmlMailing ListThird Party Advisory
https://lists.debian.org/debian-lts-announce/2019/08/msg00002.htmlMailing ListThird Party Advisory
https://security.gentoo.org/glsa/201908-12Third Party Advisory
https://security.gentoo.org/glsa/201908-20Third Party Advisory
https://www.mozilla.org/security/advisories/mfsa2019-21/Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2019-22/Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2019-23/Vendor Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.htmlBroken Link
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.htmlBroken Link

FAQ

What is CVE-2019-11711?

CVE-2019-11711 is a vulnerability with a CVSS score of 8.8 (HIGH). When an inner window is reused, it does not consider the use of document.domain for cross-origin protections. If pages on different subdomains ever cooperatively use document.domain, then either page ...

How severe is CVE-2019-11711?

CVE-2019-11711 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-11711?

Check the references section above for vendor advisories and patch information. Affected products include: Mozilla Firefox, Mozilla Thunderbird, Debian Debian Linux.