Vulnerability Details : CVE-2019-9808

If WebRTC permission is requested from documents with data: or blob: URLs, the permission notifications do not properly display the originating domain. The notification states "Unknown origin" as the requestee, leading to user confusion about which site is asking for this permission. This vulnerability affects Firefox < 66.

Published 2019-04-26 17:29:04

Updated 2019-04-29 19:13:56

Source Mozilla Corporation

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2019-9808

Probability of exploitation activity in the next 30 days: 0.09%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 38 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2019-9808

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Source
5.0	MEDIUM	AV:N/AC:L/Au:N/C:N/I:P/A:N	10.0	2.9	nvd@nist.gov
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None
5.3	MEDIUM	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N	3.9	1.4	nvd@nist.gov
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: Low Availability: None

CWE ids for CVE-2019-9808

CWE-346 Origin Validation Error

The product does not properly verify that the source of data or communication is valid.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2019-9808

https://bugzilla.mozilla.org/show_bug.cgi?id=1434634

Access Denied
Issue Tracking;Permissions Required;Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2019-07/

Security vulnerabilities fixed in Firefox 66 — Mozilla
Vendor Advisory

CVEs referencing this url

Products affected by CVE-2019-9808

Mozilla » Firefox
Versions before (<) 66.0
cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
Matching versions