CVE-2019-11742 Information

Description

A same-origin policy violation occurs allowing the theft of cross-origin images through a combination of SVG filters and a <canvas> element due to an error in how same-origin policy is applied to cached image content. The resulting same-origin policy violation could allow for data theft. This vulnerability affects Firefox 69 Thunderbird 68.1 Thunderbird 60.9 Firefox ESR 60.9 and Firefox ESR 68.1.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Reference

http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html https://bugzilla.mozilla.org/show_bug.cgi?id=1559715 https://security.gentoo.org/glsa/201911-07 https://usn.ubuntu.com/4150-1/ https://www.mozilla.org/security/advisories/mfsa2019-25/ https://www.mozilla.org/security/advisories/mfsa2019-26/ https://www.mozilla.org/security/advisories/mfsa2019-27/ https://www.mozilla.org/security/advisories/mfsa2019-29/ https://www.mozilla.org/security/advisories/mfsa2019-30/

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

REQUIRED

Confidentiality Impact

UNCHANGED

Integrity Impact

NONE

Availability Impact

HIGH

Base Score

NONE

Base Severity

6.5