CVE-2019-9812

Description

Given a compromised sandboxed content process due to a separate vulnerability, it is possible to escape that sandbox by loading accounts.firefox.com in that process and forcing a log-in to a malicious Firefox Sync account. Preference settings that disable the sandbox are then synchronized to the local machine and the compromised browser would restart without the sandbox if a crash is triggered. This vulnerability affects Firefox ESR < 60.9, Firefox ESR < 68.1, and Firefox < 69.

CVSS Version 3.1
CVSS Version 2.0

nvd
CVE ID: CVE-2019-9812
Base Score: 9.3
Base Severity: CRITICAL
Vector String:CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:H
Impact Score: 5.8
Exploitability Score: 2.8

nvd
CVE ID: CVE-2019-9812
Base Score: 5.8
Base Severity: MEDIUM
Vector String:AV:N/AC:M/Au:N/C:N/I:P/A:P

Refrence: NVD

Description​

Description