{"containers": {"cna": {"affected": [{"product": "Thunderbird", "vendor": "Mozilla", "versions": [{"lessThan": "60.7", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "Firefox", "vendor": "Mozilla", "versions": [{"lessThan": "67", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "Firefox ESR", "vendor": "Mozilla", "versions": [{"lessThan": "60.7", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Images from a different domain can be read using a canvas object in some circumstances. This could be used to steal image data from a different site in violation of same-origin policy. This vulnerability affects Thunderbird < 60.7, Firefox < 67, and Firefox ESR < 60.7."}], "problemTypes": [{"descriptions": [{"description": "Stealing of cross-domain images using canvas", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-07-23T13:24:05", "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.mozilla.org/security/advisories/mfsa2019-13/"}, {"tags": ["x_refsource_MISC"], "url": "https://www.mozilla.org/security/advisories/mfsa2019-15/"}, {"tags": ["x_refsource_MISC"], "url": "https://www.mozilla.org/security/advisories/mfsa2019-14/"}, {"tags": ["x_refsource_MISC"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1540221"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "[email protected]", "ID": "CVE-2019-9817", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Thunderbird", "version": {"version_data": [{"version_affected": "<", "version_value": "60.7"}]}}, {"product_name": "Firefox", "version": {"version_data": [{"version_affected": "<", "version_value": "67"}]}}, {"product_name": "Firefox ESR", "version": {"version_data": [{"version_affected": "<", "version_value": "60.7"}]}}]}, "vendor_name": "Mozilla"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Images from a different domain can be read using a canvas object in some circumstances. This could be used to steal image data from a different site in violation of same-origin policy. This vulnerability affects Thunderbird < 60.7, Firefox < 67, and Firefox ESR < 60.7."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Stealing of cross-domain images using canvas"}]}]}, "references": {"reference_data": [{"name": "https://www.mozilla.org/security/advisories/mfsa2019-13/", "refsource": "MISC", "url": "https://www.mozilla.org/security/advisories/mfsa2019-13/"}, {"name": "https://www.mozilla.org/security/advisories/mfsa2019-15/", "refsource": "MISC", "url": "https://www.mozilla.org/security/advisories/mfsa2019-15/"}, {"name": "https://www.mozilla.org/security/advisories/mfsa2019-14/", "refsource": "MISC", "url": "https://www.mozilla.org/security/advisories/mfsa2019-14/"}, {"name": "https://bugzilla.mozilla.org/show_bug.cgi?id=1540221", "refsource": "MISC", "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1540221"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T22:01:54.839Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.mozilla.org/security/advisories/mfsa2019-13/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.mozilla.org/security/advisories/mfsa2019-15/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.mozilla.org/security/advisories/mfsa2019-14/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1540221"}]}]}, "cveMetadata": {"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "assignerShortName": "mozilla", "cveId": "CVE-2019-9817", "datePublished": "2019-07-23T13:24:05", "dateReserved": "2019-03-14T00:00:00", "dateUpdated": "2024-08-04T22:01:54.839Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*", "matchCriteriaId": "83DEE955-3E09-489F-BE40-2FD33EACF436", "versionEndExcluding": "67.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*", "matchCriteriaId": "0AE86A15-DB39-4AA7-992B-FEBC77C52CF3", "versionEndExcluding": "60.7", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "matchCriteriaId": "FD578CD5-6B23-4339-BE6F-4FC336F890B2", "versionEndExcluding": "60.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Images from a different domain can be read using a canvas object in some circumstances. This could be used to steal image data from a different site in violation of same-origin policy. This vulnerability affects Thunderbird < 60.7, Firefox < 67, and Firefox ESR < 60.7."}, {"lang": "es", "value": "Las im\u00e1genes desde un dominio diferente pueden ser le\u00eddas utilizando un objeto de canvas en ciertas circunstancias. Esto podr\u00eda ser usado para robar datos de im\u00e1genes desde un sitio diferente en violaci\u00f3n de la pol\u00edtica del mismo origen. Esta vulnerabilidad afecta a Thunderbird anterior a versi\u00f3n 60.7, Firefox anterior a versi\u00f3n 67 y Firefox ESR anterior a versi\u00f3n 60.7."}], "id": "CVE-2019-9817", "lastModified": "2024-11-21T04:52:22.207", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "[email protected]", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "[email protected]", "type": "Primary"}]}, "published": "2019-07-23T14:15:17.187", "references": [{"source": "[email protected]", "tags": ["Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1540221"}, {"source": "[email protected]", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2019-13/"}, {"source": "[email protected]", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2019-14/"}, {"source": "[email protected]", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2019-15/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1540221"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2019-13/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2019-14/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2019-15/"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-346"}], "source": "[email protected]", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Lu\u1eadt Nguy\u1ec5n as the original reporter.", "affected_release": [{"advisory": "RHSA-2019:1267", "cpe": "cpe:/o:redhat:enterprise_linux:6", "package": "firefox-0:60.7.0-1.el6_10", "product_name": "Red Hat Enterprise Linux 6", "release_date": "2019-05-23T00:00:00Z"}, {"advisory": "RHSA-2019:1310", "cpe": "cpe:/o:redhat:enterprise_linux:6", "package": "thunderbird-0:60.7.0-1.el6_10", "product_name": "Red Hat Enterprise Linux 6", "release_date": "2019-06-03T00:00:00Z"}, {"advisory": "RHSA-2019:1265", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "firefox-0:60.7.0-1.el7_6", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2019-05-23T00:00:00Z"}, {"advisory": "RHSA-2019:1309", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "thunderbird-0:60.7.0-1.el7_6", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2019-06-03T00:00:00Z"}, {"advisory": "RHSA-2019:1269", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "firefox-0:60.7.0-1.el8_0", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2019-05-23T00:00:00Z"}, {"advisory": "RHSA-2019:1308", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "thunderbird-0:60.7.0-1.el8_0", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2019-06-03T00:00:00Z"}], "bugzilla": {"description": "Mozilla: Stealing of cross-domain images using canvas", "id": "1712626", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1712626"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "status": "verified"}, "cwe": "CWE-829", "details": ["Images from a different domain can be read using a canvas object in some circumstances. This could be used to steal image data from a different site in violation of same-origin policy. This vulnerability affects Thunderbird < 60.7, Firefox < 67, and Firefox ESR < 60.7."], "name": "CVE-2019-9817", "public_date": "2019-05-22T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-9817\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-9817\nhttps://www.mozilla.org/en-US/security/advisories/mfsa2019-14/#CVE-2019-9817"], "statement": "In general, this flaw cannot be exploited through email in Thunderbird because scripting is disabled when reading mail, but it is potentially a risk in browser or browser-like contexts.", "threat_severity": "Important"}