VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-yybf-7qmk-2ba3

Essentials
Severities (24)
References (28)
Severity details (8)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-yybf-7qmk-2ba3
Aliases	CVE-2019-9812
Summary	Given a compromised sandboxed content process due to a separate vulnerability, it is possible to escape that sandbox by loading accounts.firefox.com in that process and forcing a log-in to a malicious Firefox Sync account. Preference settings that disable the sandbox are then synchronized to the local machine and the compromised browser would restart without the sandbox if a crash is triggered.
Status	Published
Exploitability	0.5
Weighted Severity	9.0
Risk	4.5
Affected and Fixed Packages	Package Details

Weaknesses (1)

CWE-250

Execution with Unnecessary Privileges

System	Score	Found at
cvssv3	9.3	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-9812.json
epss	0.0052	https://api.first.org/data/v1/epss?cve=CVE-2019-9812
epss	0.0052	https://api.first.org/data/v1/epss?cve=CVE-2019-9812
epss	0.0052	https://api.first.org/data/v1/epss?cve=CVE-2019-9812
epss	0.0052	https://api.first.org/data/v1/epss?cve=CVE-2019-9812
epss	0.0052	https://api.first.org/data/v1/epss?cve=CVE-2019-9812
epss	0.0052	https://api.first.org/data/v1/epss?cve=CVE-2019-9812
epss	0.0052	https://api.first.org/data/v1/epss?cve=CVE-2019-9812
epss	0.0052	https://api.first.org/data/v1/epss?cve=CVE-2019-9812
epss	0.0052	https://api.first.org/data/v1/epss?cve=CVE-2019-9812
epss	0.0052	https://api.first.org/data/v1/epss?cve=CVE-2019-9812
epss	0.0052	https://api.first.org/data/v1/epss?cve=CVE-2019-9812
epss	0.0052	https://api.first.org/data/v1/epss?cve=CVE-2019-9812
epss	0.0052	https://api.first.org/data/v1/epss?cve=CVE-2019-9812
epss	0.0052	https://api.first.org/data/v1/epss?cve=CVE-2019-9812
epss	0.0052	https://api.first.org/data/v1/epss?cve=CVE-2019-9812
epss	0.0052	https://api.first.org/data/v1/epss?cve=CVE-2019-9812
cvssv3.1	7.5	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv2	5.8	https://nvd.nist.gov/vuln/detail/CVE-2019-9812
cvssv3.1	9.3	https://nvd.nist.gov/vuln/detail/CVE-2019-9812
archlinux	High	https://security.archlinux.org/AVG-1036
generic_textual	critical	https://www.mozilla.org/en-US/security/advisories/mfsa2019-25
generic_textual	critical	https://www.mozilla.org/en-US/security/advisories/mfsa2019-26
generic_textual	high	https://www.mozilla.org/en-US/security/advisories/mfsa2019-27

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-9812.json
		https://api.first.org/data/v1/epss?cve=CVE-2019-9812
		https://bugzilla.mozilla.org/show_bug.cgi?id=1538008
		https://bugzilla.mozilla.org/show_bug.cgi?id=1538015
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11740
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11742
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11743
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11744
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11746
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11752
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9812
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
		https://www.mozilla.org/security/advisories/mfsa2019-25/
		https://www.mozilla.org/security/advisories/mfsa2019-26/
		https://www.mozilla.org/security/advisories/mfsa2019-27/
1748660		https://bugzilla.redhat.com/show_bug.cgi?id=1748660
ASA-201909-2		https://security.archlinux.org/ASA-201909-2
AVG-1036		https://security.archlinux.org/AVG-1036
cpe:2.3:a:mozilla:firefox::::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:mozilla:firefox::::::::
cpe:2.3:a:mozilla:firefox_esr::::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:mozilla:firefox_esr::::::::
CVE-2019-9812		https://nvd.nist.gov/vuln/detail/CVE-2019-9812
mfsa2019-25		https://www.mozilla.org/en-US/security/advisories/mfsa2019-25
mfsa2019-26		https://www.mozilla.org/en-US/security/advisories/mfsa2019-26
mfsa2019-27		https://www.mozilla.org/en-US/security/advisories/mfsa2019-27
RHSA-2019:2663		https://access.redhat.com/errata/RHSA-2019:2663
RHSA-2019:2694		https://access.redhat.com/errata/RHSA-2019:2694
RHSA-2019:2729		https://access.redhat.com/errata/RHSA-2019:2729
USN-4122-1		https://usn.ubuntu.com/4122-1/

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-9812.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:P Found at https://nvd.nist.gov/vuln/detail/CVE-2019-9812

Exploitability (E)	Access Vector (AV)	Access Complexity (AC)	Authentication (Au)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
high functional unproven proof_of_concept not_defined	local adjacent_network network	high medium low	multiple single none	none partial complete	none partial complete	none partial complete

Exploitability (E)

Access Vector (AV)

Access Complexity (AC)

Authentication (Au)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

partial

complete

none

partial

complete

none

partial

complete

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2019-9812

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.65841
EPSS Score	0.0052
Published At	July 30, 2025, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2025-07-31T08:09:58.098244+00:00	Mozilla Importer	Import	https://github.com/mozilla/foundation-security-advisories/blob/master/announce/2019/mfsa2019-27.yml	37.0.0