Bug 1149286 (CVE-2019-11751) - VUL-0: CVE-2019-11751: MozillaFirefox: Malicious code execution through command line parameters
Summary: VUL-0: CVE-2019-11751: MozillaFirefox: Malicious code execution through comma...
Status: RESOLVED INVALID
Alias: CVE-2019-11751
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Windows
: P5 - None : Major
Target Milestone: ---
Assignee: Charles Robertson
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/241694/
Whiteboard: CVSSv2:NVD:CVE-2019-11751:6.8:(AV:N/...
Keywords:
Depends on: 1149323 1149324
Blocks:
  Show dependency treegraph
 
Reported: 2019-09-04 06:48 UTC by Alexander Bergmann
Modified: 2019-10-03 00:31 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2019-09-04 06:48:21 UTC 
CVE-2019-11751: Malicious code execution through command line parameters

Reporter   Ping Fan (Zetta) Ke of VXRL working with iDefense Labs
Impact     critical

Description
Logging-related command line parameters are not properly sanitized when Firefox is launched by another program, such as when a user clicks on malicious links in a chat application. This can be used to write a log file to an arbitrary location such as the Windows 'Startup' folder. 

** Note: this issue only affects Firefox on Windows operating systems. **

References:
https://www.mozilla.org/en-US/security/advisories/mfsa2019-26/#CVE-2019-11751
https://bugzilla.mozilla.org/show_bug.cgi?id=1572838
https://bugzilla.redhat.com/show_bug.cgi?id=1748668
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-11751
Comment 1 Andreas Stieger 2019-09-04 14:46:26 UTC 
Not affected.