VDB
CVE-2019-9794
CVE-2019-9794
PUBLISHED
A vulnerability was discovered where specific command line arguments are not properly discarded during Firefox invocation as a shell handler for URLs. This could be used to retrieve and execute files whose location is supplied through these command line arguments if Firefox is configured as the default URI handler for a given URI scheme in third party applications and these applications insufficiently sanitize URL data. *Note: This issue only affects Windows operating systems. Other operating systems are unaffected.*. This vulnerability affects Thunderbird < 60.6, Firefox ESR < 60.6, and Firefox < 66.
EPSS 0.58% · 69.2th percentile
Risk Scores
EPSS Score
0.58%
69.2th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:18.04:LTS | mozjs38 | 0, *, 38.8.0~repack1-0ubuntu4 |
| Ubuntu:20.04:LTS | mozjs52 | 52.9.1-1ubuntu3, 0, 52.9.1-1build1 |
| Ubuntu:18.04:LTS | mozjs52 | 52.3.1-7fakesync1, 52.3.1-0ubuntu3, 0 |
Timeline
- Mar 29, 2019 CVE Published
- Apr 14, 2021 EPSS Score
- Jun 23, 2021 EPSS Score
- Aug 24, 2021 EPSS Score
- Dec 27, 2021 EPSS Score
- Jan 6, 2022 EPSS Score
- Feb 4, 2022 EPSS Score
- Feb 28, 2022 EPSS Score
- Apr 1, 2022 EPSS Score
- Jul 3, 2022 EPSS Score
- Sep 4, 2022 EPSS Score
- Nov 6, 2022 EPSS Score
References
- https://ubuntu.com/security/CVE-2019-9794 third-party-advisory
- https://www.mozilla.org/en-US/security/advisories/mfsa2019-08/#CVE-2019-9794 third-party-advisory
- https://www.mozilla.org/en-US/security/advisories/mfsa2019-07/#CVE-2019-9794 third-party-advisory
- https://www.mozilla.org/en-US/security/advisories/mfsa2019-11/#CVE-2019-9794 third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2019-9794 third-party-advisory