1. Home
  2. Vulnerabilities
  3. CVE-2019-9794

CVE-2019-9794

CVSS v3.0 9.8 (Critical)
98% Progress
CVSS v2.0 7.5 (High)
75% Progress
EPSS 0.41 % (74th)
0.41% Progress
Affected Products 4
Advisories 11
Info CVSS EPSS CAPEC Affected Configurations References Security Advisories Packages & Software OVAL Tools, Exploits & PoC Graph Web & Social Timeline

A vulnerability was discovered where specific command line arguments are not properly discarded during Firefox invocation as a shell handler for URLs. This could be used to retrieve and execute files whose location is supplied through these command line arguments if Firefox is configured as the default URI handler for a given URI scheme in third party applications and these applications insufficiently sanitize URL data. Note: This issue only affects Windows operating systems. Other operating systems are unaffected.. This vulnerability affects Thunderbird < 60.6, Firefox ESR < 60.6, and Firefox < 66.

Weaknesses
CWE-88
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
CVE Status
PUBLISHED
CNA
Mozilla Corporation
Published Date
2019-04-26 17:29:02
(5 years ago)
Updated Date
2021-07-21 11:39:23
(3 years ago)

Affected Products

Microsoft

Mozilla

Configuration #1

AND
    CPE23 From Up To
OR  
  Mozilla Firefox prior 66.0 version cpe:2.3:a:mozilla:firefox < 66.0
OR  
  Running on/with
  Mozilla Firefox Esr prior 60.6.0 version cpe:2.3:a:mozilla:firefox_esr < 60.6.0
OR  
  Running on/with
  Mozilla Thunderbird prior 60.6.0 version cpe:2.3:a:mozilla:thunderbird < 60.6.0
OR  
  Running on/with
  Microsoft Windows cpe:2.3:o:microsoft:windows:-