{"api_version":"1","generated_at":"2026-04-23T11:32:57+00:00","cve":"CVE-2019-9803","urls":{"html":"https://cve.report/CVE-2019-9803","api":"https://cve.report/api/cve/CVE-2019-9803.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2019-9803","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2019-9803"},"summary":{"title":"CVE-2019-9803","description":"The Upgrade-Insecure-Requests (UIR) specification states that if UIR is enabled through Content Security Policy (CSP), navigation to a same-origin URL must be upgraded to HTTPS. Firefox will incorrectly navigate to an HTTP URL rather than perform the security upgrade requested by the CSP in some circumstances, allowing for potential man-in-the-middle attacks on the linked resources. This vulnerability affects Firefox < 66.","state":"PUBLIC","assigner":"security@mozilla.org","published_at":"2019-04-26 17:29:00","updated_at":"2019-04-30 23:51:00"},"problem_types":["CWE-346"],"metrics":[],"references":[{"url":"https://www.mozilla.org/security/advisories/mfsa2019-07/","name":"https://www.mozilla.org/security/advisories/mfsa2019-07/","refsource":"MISC","tags":["Vendor Advisory"],"title":"Security vulnerabilities fixed in Firefox 66 — Mozilla","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://w3c.github.io/webappsec-upgrade-insecure-requests/","name":"https://w3c.github.io/webappsec-upgrade-insecure-requests/","refsource":"MISC","tags":["Third Party Advisory"],"title":"Upgrade Insecure Requests","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://bugzilla.mozilla.org/show_bug.cgi?id=1515863","name":"https://bugzilla.mozilla.org/show_bug.cgi?id=1515863","refsource":"MISC","tags":["Issue Tracking","Permissions Required","Vendor Advisory"],"title":"Access Denied","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://bugzilla.mozilla.org/show_bug.cgi?id=1437009","name":"https://bugzilla.mozilla.org/show_bug.cgi?id=1437009","refsource":"MISC","tags":["Issue Tracking","Vendor Advisory"],"title":"1437009 - CSP is not propagated to the TriggeringPrincipal for right-click new tab,ctrl-click new tab, drag & drop new tab cases","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2019-9803","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-9803","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2019","cve_id":"9803","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"firefox","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"9803","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"firefox","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2019-9803","qid":"371855","title":"Free Berkeley Software Distribution (FreeBSD) Security Update for mozilla Multiple Vulnerabilities (05da6b56-3e66-4306-9ea3-89fafe939726)"}]},"source_records":{"cve_program":{"data_version":"4.0","references":{"reference_data":[{"url":"https://www.mozilla.org/security/advisories/mfsa2019-07/","refsource":"MISC","name":"https://www.mozilla.org/security/advisories/mfsa2019-07/"},{"url":"https://bugzilla.mozilla.org/show_bug.cgi?id=1515863","refsource":"MISC","name":"https://bugzilla.mozilla.org/show_bug.cgi?id=1515863"},{"url":"https://bugzilla.mozilla.org/show_bug.cgi?id=1437009","refsource":"MISC","name":"https://bugzilla.mozilla.org/show_bug.cgi?id=1437009"},{"url":"https://w3c.github.io/webappsec-upgrade-insecure-requests/","refsource":"MISC","name":"https://w3c.github.io/webappsec-upgrade-insecure-requests/"}]},"description":{"description_data":[{"lang":"eng","value":"The Upgrade-Insecure-Requests (UIR) specification states that if UIR is enabled through Content Security Policy (CSP), navigation to a same-origin URL must be upgraded to HTTPS. Firefox will incorrectly navigate to an HTTP URL rather than perform the security upgrade requested by the CSP in some circumstances, allowing for potential man-in-the-middle attacks on the linked resources. This vulnerability affects Firefox < 66."}]},"data_type":"CVE","affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"version":{"version_data":[{"version_affected":"<","version_value":"66"}]},"product_name":"Firefox"}]},"vendor_name":"Mozilla"}]}},"CVE_data_meta":{"ID":"CVE-2019-9803","ASSIGNER":"security@mozilla.org","STATE":"PUBLIC"},"data_format":"MITRE","problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Upgrade-Insecure-Requests incorrectly enforced for same-origin navigation"}]}]}},"nvd":{"publishedDate":"2019-04-26 17:29:00","lastModifiedDate":"2019-04-30 23:51:00","problem_types":["CWE-346"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE","baseScore":7.4,"baseSeverity":"HIGH"},"exploitabilityScore":2.2,"impactScore":5.2},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:P/I:P/A:N","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":5.8},"severity":"MEDIUM","exploitabilityScore":8.6,"impactScore":4.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*","versionEndExcluding":"66.0","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2019","CveId":"9803","Ordinal":"147682","Title":"CVE-2019-9803","CVE":"CVE-2019-9803","Year":"2019"},"notes":[{"CveYear":"2019","CveId":"9803","Ordinal":"1","NoteData":"The Upgrade-Insecure-Requests (UIR) specification states that if UIR is enabled through Content Security Policy (CSP), navigation to a same-origin URL must be upgraded to HTTPS. Firefox will incorrectly navigate to an HTTP URL rather than perform the security upgrade requested by the CSP in some circumstances, allowing for potential man-in-the-middle attacks on the linked resources. This vulnerability affects Firefox < 66.","Type":"Description","Title":null},{"CveYear":"2019","CveId":"9803","Ordinal":"2","NoteData":"2019-04-26","Type":"Other","Title":"Published"},{"CveYear":"2019","CveId":"9803","Ordinal":"3","NoteData":"2019-04-26","Type":"Other","Title":"Modified"}]}}}