CVE-2019-11708
Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the non-sandboxed...
Basic Information
- CVE State
- PUBLISHED
- Reserved Date
- May 03, 2019
- Published Date
- July 23, 2019
- Last Updated
- February 07, 2025
- Vendor
- Mozilla
- Product
- Firefox ESR, Firefox, Thunderbird
- Description
- Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the non-sandboxed parent process opening web content chosen by a compromised child process. When combined with additional vulnerabilities this could result in executing arbitrary code on the user's computer. This vulnerability affects Firefox ESR < 60.7.2, Firefox < 67.0.4, and Thunderbird < 60.7.2.
CVSS Scores
CVSS v3.1
10.0 - CRITICAL
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
SSVC Information
- Exploitation
- active
- Technical Impact
- total
References
https://www.mozilla.org/security/advisories/mfsa2019-19/
https://www.mozilla.org/security/advisories/mfsa2019-20/
https://bugzilla.mozilla.org/show_bug.cgi?id=1559858
https://security.gentoo.org/glsa/201908-12
http://packetstormsecurity.com/files/155592/Mozilla-Firefox-Windows-64-Bit-Chain-Exploit.html
Known Exploited Vulnerability Information
| Source | Added Date |
|---|---|
| CISA | 2022-05-23 00:00:00 UTC |
Potential Proof of Concepts
Warning: These PoCs have not been tested and could contain malware. Use at your own risk.
0vercl0k/CVE-2019-11708
Type: github • Created: 2019-09-29 07:08:52 UTC • Stars: 624
Full exploit chain (CVE-2019-11708 & CVE-2019-9810) against Firefox on Windows 64-bit.