CORS Bypass Vulnerability in NPAPI Plugins Allows CSRF Attacks

CORS Bypass Vulnerability in NPAPI Plugins Allows CSRF Attacks

CVE-2019-11712 · MEDIUM Severity

AV:N/AC:M/AU:N/C:P/I:P/A:P

POST requests made by NPAPI plugins, such as Flash, that receive a status 308 redirect response can bypass CORS requirements. This can allow an attacker to perform Cross-Site Request Forgery (CSRF) attacks. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.

Learn more about our Api Penetration Testing.