Vulnerability Details : CVE-2019-12383
Tor Browser before 8.0.1 has an information exposure vulnerability. It allows remote attackers to detect the browser's UI locale by measuring a button width, even if the user has a "Don't send my language" setting.
Exploit prediction scoring system (EPSS) score for CVE-2019-12383
Probability of exploitation activity in the next 30 days: 0.22%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 59 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2019-12383
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|
|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:N/A:N |
8.6
|
2.9
|
[email protected] |
|
4.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N |
2.8
|
1.4
|
[email protected] |
CWE ids for CVE-2019-12383
-
The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.Assigned by: [email protected] (Primary)
References for CVE-2019-12383
-
https://gitweb.torproject.org/tor-browser.git/commit/?id=cbb04b72c68272c2de42f157d40cd7d29a6b7b55
Mailing List;Patch;Third Party Advisory
-
https://trac.torproject.org/projects/tor/ticket/24056
Vendor Advisory
-
https://hackerone.com/reports/282748
Issue Tracking;Third Party Advisory
-
http://www.securityfocus.com/bid/108484
Broken Link;Third Party Advisory;VDB Entry
Products affected by CVE-2019-12383
- cpe:2.3:a:torproject:tor_browser:*:*:*:*:*:*:*:*