CVE-2019-11708
Mozilla Firefox and Thunderbird Sandbox Escape Vulnerability
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
2Exploited in Wild
YesDecision
Descriptions
Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the non-sandboxed parent process opening web content chosen by a compromised child process. When combined with additional vulnerabilities this could result in executing arbitrary code on the user's computer. This vulnerability affects Firefox ESR < 60.7.2, Firefox < 67.0.4, and Thunderbird < 60.7.2.
Una revisión insuficiente de los parámetros pasados ??con el mensaje IPC de Prompt:Open, entre procesos hijo y padre puede resultar que el proceso padre fuera del Sandbox abra el contenido web elegido por un proceso hijo comprometido. Cuando se combina con vulnerabilidades adicionales, esto podría resultar en la ejecución de código arbitrario en el ordenador del usuario. Esta vulnerabilidad afecta a Firefox ESR anterior a versión 60.7.2, Firefox anterior a versión 67.0.4 y Thunderbird anterior a versión 60.7.2.
Mozilla Firefox and Thunderbird contain a sandbox escape vulnerability that could result in remote code execution.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2019-05-03 CVE Reserved
- 2019-06-24 CVE Published
- 2019-12-07 First Exploit
- 2022-05-23 Exploited in Wild
- 2022-06-13 KEV Due Date
- 2024-08-04 CVE Updated
- 2024-10-31 EPSS Updated
CWE
- CWE-20: Improper Input Validation
- CWE-270: Privilege Context Switching Error
CAPEC
References (9)
URL | Tag | Source |
---|---|---|
http://packetstormsecurity.com/files/155592/Mozilla-Firefox-Windows-64-Bit-Chain-Exploit.html | Third Party Advisory |
URL | Date | SRC |
---|---|---|
https://www.exploit-db.com/exploits/47752 | 2019-12-07 | |
https://github.com/0vercl0k/CVE-2019-11708 | 2020-06-13 |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://bugzilla.mozilla.org/show_bug.cgi?id=1559858 | 2024-07-02 | |
https://security.gentoo.org/glsa/201908-12 | 2024-07-02 | |
https://www.mozilla.org/security/advisories/mfsa2019-19 | 2024-07-02 | |
https://www.mozilla.org/security/advisories/mfsa2019-20 | 2024-07-02 | |
https://access.redhat.com/security/cve/CVE-2019-11708 | 2019-07-08 | |
https://bugzilla.redhat.com/show_bug.cgi?id=1722673 | 2019-07-08 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Mozilla Search vendor "Mozilla" | Firefox Search vendor "Mozilla" for product "Firefox" | < 67.0.4 Search vendor "Mozilla" for product "Firefox" and version " < 67.0.4" | - |
Affected
| ||||||
Mozilla Search vendor "Mozilla" | Firefox Esr Search vendor "Mozilla" for product "Firefox Esr" | < 60.7.2 Search vendor "Mozilla" for product "Firefox Esr" and version " < 60.7.2" | - |
Affected
| ||||||
Mozilla Search vendor "Mozilla" | Thunderbird Search vendor "Mozilla" for product "Thunderbird" | < 60.7.2 Search vendor "Mozilla" for product "Thunderbird" and version " < 60.7.2" | - |
Affected
|