CVE-2019-9801 Information

Description

Firefox will accept any registered Program ID as an external protocol handler and offer to launch this local application when given a matching URL on Windows operating systems. This should only happen if the program has specifically registered itself as a \URL Handler\ in the Windows registry. Note: This issue only affects Windows operating systems. Other operating systems are unaffected.. This vulnerability affects Thunderbird 60.6 Firefox ESR 60.6 and Firefox 66.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Reference

https://bugzilla.mozilla.org/show_bug.cgi?id=1527717 https://www.mozilla.org/security/advisories/mfsa2019-07/ https://www.mozilla.org/security/advisories/mfsa2019-08/ https://www.mozilla.org/security/advisories/mfsa2019-11/

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

NONE

Availability Impact

LOW

Base Score

NONE

Base Severity

5.3