CVE-2019-9811

HIGH

Firefox ESR < 60.8, Firefox < 68, Thunderbird < 60.8 - Privilege Es...

Title source: llm

Description

As part of a winning Pwn2Own entry, a researcher demonstrated a sandbox escape by installing a malicious language pack and then opening a browser feature that used the compromised translation. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.

References (15)

[Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html

[Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.html

[Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00073.html

[Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html

[Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html

[Issue Tracking, Permissions Required] https://bugzilla.mozilla.org/show_bug.cgi?id=1538007

[Exploit, Issue Tracking, Patch, Vendor Advisory] https://bugzilla.mozilla.org/show_bug.cgi?id=1539598

[Exploit, Issue Tracking, Vendor Advisory] https://bugzilla.mozilla.org/show_bug.cgi?id=1563327

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2019/08/msg00001.html

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2019/08/msg00002.html

[Third Party Advisory] https://security.gentoo.org/glsa/201908-12

[Third Party Advisory] https://security.gentoo.org/glsa/201908-20

[Vendor Advisory] https://www.mozilla.org/security/advisories/mfsa2019-21/

[Vendor Advisory] https://www.mozilla.org/security/advisories/mfsa2019-22/

[Vendor Advisory] https://www.mozilla.org/security/advisories/mfsa2019-23/

Scores

CVSS v3 8.3

EPSS 0.0068

EPSS Percentile 71.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

Classification

CWE

CWE-74

Status published

Affected Products (7)

mozilla/firefox < 68.0

mozilla/firefox_esr < 60.8

mozilla/thunderbird < 60.8

debian/debian_linux

novell/suse_package_hub_for_suse_linux_enterprise

opensuse/leap

opensuse/leap

Timeline

Published Jul 23, 2019

Tracked Since Feb 18, 2026