CVE-2019-11708

CRITICAL KEV

Firefox ESR < 60.7.2, Firefox < 67.0.4, Thunderbird < 60.7.2 - RCE

Title source: llm

Description

Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the non-sandboxed parent process opening web content chosen by a compromised child process. When combined with additional vulnerabilities this could result in executing arbitrary code on the user's computer. This vulnerability affects Firefox ESR < 60.7.2, Firefox < 67.0.4, and Thunderbird < 60.7.2.

Exploits (3)

nomisec WORKING POC 623 stars

by 0vercl0k · client-side

https://github.com/0vercl0k/CVE-2019-11708

View Code ZIP pw:eip

exploitdb WORKING POC

javascriptlocalwindows_x86-64

https://www.exploit-db.com/exploits/47752

View on exploitdb

vulncheck_xdb WORKING POC

client-side

https://github.com/Sp0pielar/CVE-2019-9791

View Code ZIP pw:eip

References (6)

[US Government Resource] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-11708

[Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/155592/Mozilla-Firefox-Windows-64-Bit-Chain-Exploit.html

[Issue Tracking, Vendor Advisory] https://bugzilla.mozilla.org/show_bug.cgi?id=1559858

[Third Party Advisory] https://security.gentoo.org/glsa/201908-12

[Vendor Advisory] https://www.mozilla.org/security/advisories/mfsa2019-19/

[Vendor Advisory] https://www.mozilla.org/security/advisories/mfsa2019-20/

Scores

CVSS v3 10.0

EPSS 0.6888

EPSS Percentile 98.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Exploitation Intel

CISA KEV 2022-05-23

VulnCheck KEV 2019-06-20

InTheWild.io 2019-06-20

ENISA EUVD EUVD-2019-3378

Classification

CWE

CWE-20

Status published

Affected Products (3)

mozilla/firefox < 60.7.2

mozilla/firefox < 67.0.4

mozilla/thunderbird < 60.7.2

Timeline

Published Jul 23, 2019

KEV Added May 23, 2022

Tracked Since Feb 18, 2026