CVE-2019-11730

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2019-11730

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-11730.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2019-11730

Downstream

DEBIAN-CVE-2019-11730

DLA-1869-1

DLA-1870-1

DSA-4479-1

DSA-4482-1

RHSA-2019:1763

RHSA-2019:1764

RHSA-2019:1765

RHSA-2019:1775

RHSA-2019:1777

RHSA-2019:1799

SUSE-SU-2019:14124-1

SUSE-SU-2019:14246-1

SUSE-SU-2019:1861-1

SUSE-SU-2019:1861-2

SUSE-SU-2019:1861-3

SUSE-SU-2019:1869-1

SUSE-SU-2019:1960-1

SUSE-SU-2019:2515-1

SUSE-SU-2019:2620-1

UBUNTU-CVE-2019-11730

USN-4054-1

USN-4064-1

openSUSE-SU-2019:1782-1

openSUSE-SU-2019:1811-1

openSUSE-SU-2019:1813-1

openSUSE-SU-2019:1990-1

openSUSE-SU-2019:2248-1

openSUSE-SU-2019:2249-1

openSUSE-SU-2024:10600-1

openSUSE-SU-2024:10601-1

openSUSE-SU-2024:14572-1

Related

Published

2019-07-23T14:15:16Z

Modified

2025-08-09T20:01:27Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

A vulnerability exists where if a user opens a locally saved HTML file, this file can use file: URIs to access other files in the same directory or sub-directories if the names are known or guessed. The Fetch API can then be used to read the contents of any files stored in these directories and they may uploaded to a server. It was demonstrated that in combination with a popular Android messaging app, if a malicious HTML attachment is sent to a user and they opened that attachment in Firefox, due to that app's predictable pattern for locally-saved file names, it is possible to read attachments the victim received from other correspondents. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.

References

Affected packages