Early Access — Mondoo Vulnerability Intelligence is currently in preview.

UBUNTU-CVE-2019-11765

MEDIUM6.5

Published Oct 23, 2019

Modified 7 months ago

Fix available

Details

A compromised content process could send a message to the parent process that would cause the 'Click to Play' permission prompt to be shown. However, due to lack of validation from the parent process, if the user accepted the permission request an attacker-controlled permission would be granted rather than the 'Click to Play' permission. This vulnerability affects Firefox < 70.

Affected Packages

Ubuntu:16.04:LTSfirefox

Affected versions:

41.0.2+build2-0ubuntu142.0+build2-0ubuntu144.0+build3-0ubuntu244.0.1+build1-0ubuntu144.0.2+build1-0ubuntu145.0+build2-0ubuntu145.0.1+build1-0ubuntu145.0.2+build1-0ubuntu146.0+build5-0ubuntu0.16.04.246.0.1+build1-0ubuntu0.16.04.2+63 more

Fixed in:

70.0+build2-0ubuntu0.16.04.1

Ubuntu:18.04:LTSfirefox

Affected versions:

56.0+build6-0ubuntu157.0.1+build2-0ubuntu159.0.1+build1-0ubuntu159.0.2+build1-0ubuntu160.0+build2-0ubuntu160.0.1+build2-0ubuntu0.18.04.160.0.2+build1-0ubuntu0.18.04.161.0+build3-0ubuntu0.18.04.161.0.1+build1-0ubuntu0.18.04.162.0+build2-0ubuntu0.18.04.3+25 more

Fixed in:

70.0+build2-0ubuntu0.18.04.1

Ubuntu:20.04:LTSfirefox

Affected versions:

69.0.3+build1-0ubuntu1

Fixed in:

70.0+build2-0ubuntu1

Ubuntu:Pro:18.04:LTSmozjs38

Affected versions:

38.8.0~repack1-0ubuntu138.8.0~repack1-0ubuntu338.8.0~repack1-0ubuntu4

Ubuntu:Pro:18.04:LTSmozjs52

Affected versions:

52.3.1-0ubuntu352.3.1-7fakesync152.8.1-0ubuntu0.18.04.152.9.1-0ubuntu0.18.04.1

Ubuntu:Pro:20.04:LTSmozjs52

Affected versions:

52.9.1-1build152.9.1-1ubuntu3

References

REPORThttps://ubuntu.com/security/CVE-2019-11765 REPORThttps://ubuntu.com/security/notices/USN-4165-1 REPORThttps://www.cve.org/CVERecord?id=CVE-2019-11765 REPORThttps://www.mozilla.org/en-US/security/advisories/mfsa2019-34/#CVE-2019-11765

CVSS Analysis

CVSS v3.1

6.5

Exploitability

Attack Vector

NetworkAV:N

Attack Complexity

LowAC:L

Privileges Required

NonePR:N

User Interaction

RequiredUI:R

Scope

UnchangedS:U

Impact

Confidentiality

NoneC:N

Integrity

HighI:H

Availability

NoneA:N

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

CVE-2019-11765 USN-4165-1

Ecosystems

Ubuntu 16.04 LTS Ubuntu 18.04 LTS Ubuntu 20.04 LTS Ubuntu Pro 18.04 LTS Ubuntu Pro 20.04 LTS

Timeline

PublishedOct 23, 2019

ModifiedJun 3, 2025

UBUNTU-CVE-2019-11765 | Mondoo Vulnerability Intelligence

UBUNTU-CVE-2019-11765

Details

Affected Packages

References

CVSS Analysis

Related

Ecosystems

Timeline