Subject: [ASA-201908-11] firefox: information disclosure Arch Linux Security Advisory ASA-201908-11 ========================================== Severity: Medium Date : 2019-08-16 CVE-ID : CVE-2019-11733 Package : firefox Type : information disclosure Remote : No Link : https://security.archlinux.org/AVG-1025 Summary ======= The package firefox before version 68.0.2-1 is vulnerable to information disclosure. Resolution ========== Upgrade to 68.0.2-1. # pacman -Syu "firefox>=68.0.2-1" The problem has been fixed upstream in version 68.0.2. Workaround ========== None. Description =========== An issue has been found in Firefox before 68.0.2. When a master password is set, it is required to be entered before stored passwords can be accessed in the 'Saved Logins' dialog. It was found that locally stored passwords can be copied to the clipboard through the 'copy password' context menu item without first entering the master password, allowing for potential theft of stored passwords. Impact ====== A local attacker is able to obtain stored passwords without first entering the master password leading to information disclosure. References ========== https://www.mozilla.org/en-US/security/advisories/mfsa2019-24/ https://www.mozilla.org/en-US/security/advisories/mfsa2019-24/#CVE-2019-11733 https://bugzilla.mozilla.org/show_bug.cgi?id=1565780 https://security.archlinux.org/CVE-2019-11733