Vulnerability Description
The Firefox installer allows Firefox to be installed to a custom user writable location, leaving it unprotected from manipulation by unprivileged users or malware. If the Mozilla Maintenance Service is manipulated to update this unprotected location and the updated maintenance service in the unprotected location has been altered, the altered maintenance service can run with elevated privileges during the update process due to a lack of integrity checks. This allows for privilege escalation if the executable has been replaced locally. <br>*Note: This attack requires local system access and only affects Windows. Other operating systems are not affected.*. This vulnerability affects Firefox < 69, Firefox ESR < 60.9, and Firefox ESR < 68.1.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mozilla | Firefox | < 60.9.0 |
| Mozilla | Firefox Esr | >= 68.0, < 68.1.0 |
| Microsoft | Windows | - |
Related Weaknesses (CWE)
References
- http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html
- http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html
- https://bugzilla.mozilla.org/show_bug.cgi?id=1574980Issue TrackingPermissions RequiredVendor Advisory
- https://www.mozilla.org/security/advisories/mfsa2019-25/Vendor Advisory
- https://www.mozilla.org/security/advisories/mfsa2019-26/Vendor Advisory
- https://www.mozilla.org/security/advisories/mfsa2019-27/Vendor Advisory
- http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html
- http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html
- https://bugzilla.mozilla.org/show_bug.cgi?id=1574980Issue TrackingPermissions RequiredVendor Advisory
- https://www.mozilla.org/security/advisories/mfsa2019-25/Vendor Advisory
- https://www.mozilla.org/security/advisories/mfsa2019-26/Vendor Advisory
- https://www.mozilla.org/security/advisories/mfsa2019-27/Vendor Advisory
FAQ
What is CVE-2019-11753?
CVE-2019-11753 is a vulnerability with a CVSS score of 7.8 (HIGH). The Firefox installer allows Firefox to be installed to a custom user writable location, leaving it unprotected from manipulation by unprivileged users or malware. If the Mozilla Maintenance Service i...
How severe is CVE-2019-11753?
CVE-2019-11753 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-11753?
Check the references section above for vendor advisories and patch information. Affected products include: Mozilla Firefox, Mozilla Firefox Esr, Microsoft Windows.