⚠ Actively exploited
Added to CISA KEV on 2022-05-23. Federal agencies required to patch by 2022-06-13. Required action: Apply updates per vendor instructions..

CVE-2019-11708

CWE-20Improper Input Validation18 documents13 sources
10
CVSS
CRITICAL
EPSS66.5%(99th)
CISA KEVExploited in Wild
CISA Required Action: Apply updates per vendor instructions.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HExploitability: 3.9 | Impact: 6.0

Affected Packages7 packages

CVEListV5mozilla/firefoxunspecified67.0.4
NVDmozilla/firefox< 60.7.2+1
CVEListV5mozilla/firefox_esrunspecified60.7.2
Debianfirefox-esr< 60.7.2esr-1+3
CVEListV5mozilla/thunderbirdunspecified60.7.2
Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the non-sandboxed parent process opening web content chosen by a compromised child process. When combined with additional vulnerabilities this could result in executing arbitrary code on the user's computer. This vulnerability affects Firefox ESR < 60.7.2, Firefox < 67.0.4, and Thunderbird < 60.7.2.
NVDMITRE

🔴Vulnerability Details

6
GHSA
GHSA-w2hj-6j62-2w9f: Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the non-sandboxed parent p2022-05-24
OSV
CVE-2019-11708: Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the non-sandboxed parent p2019-07-23
CVEList
CVE-2019-11708: Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the non-sandboxed parent p2019-07-23
OSV
thunderbird vulnerabilities2019-07-01
VulnCheck
Mozilla Firefox and Thunderbird Sandbox Escape Vulnerability2019

💥Exploits & PoCs

2
Exploit-DB
Mozilla Firefox 67 - Array.pop JIT Type Confusion2022-02-02
Exploit-DB
Mozilla FireFox (Windows 10 x64) - Full Chain Client Side Attack2019-12-07

📋Vendor Advisories

5
CISA
Mozilla Firefox and Thunderbird Sandbox Escape Vulnerability2022-05-23
Ubuntu
Thunderbird vulnerabilities2019-07-01
Ubuntu
Firefox vulnerability2019-06-24
Red Hat
Mozilla: Sandbox escape using Prompt:Open2019-06-20
Debian
CVE-2019-11708: firefox - Insufficient vetting of parameters passed with the Prompt:Open IPC message betwe...2019

💬Community

3
Bugzilla
CVE-2019-11708 thunderbird: Mozilla: sandbox escape using Prompt:Open [fedora-all]2019-06-21
Bugzilla
CVE-2019-11708 Mozilla: Sandbox escape using Prompt:Open2019-06-21
Bugzilla
CVE-2019-11707 CVE-2019-11708 firefox: various flaws [fedora-all]2019-06-19
CVE-2019-11708 (CRITICAL CVSS 10) | Insufficient vetting of parameters | cvebase.io