CyberSec.Space Logo
CVEブラウザに戻る

CVE-2019-11708

Known Exploited (CISA KEV)CRITICAL
10.0
CVSS Severity Score
EPSS Score36.3970%
EPSS Percentile87.95th
Published2019年7月23日
Last Modified2025年10月27日

Vulnerability Description

Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the non-sandboxed parent process opening web content chosen by a compromised child process. When combined with additional vulnerabilities this could result in executing arbitrary code on the user's computer. This vulnerability affects Firefox ESR < 60.7.2, Firefox < 67.0.4, and Thunderbird < 60.7.2.

Affected Platforms (CPE)

📦
Mozilla

Firefox

< 60.7.2
📦
Mozilla

Firefox

< 67.0.4
📦
Mozilla

Thunderbird

< 60.7.2

References & Advisories

🔗 http://packetstormsecurity.com/files/155592/Mozilla-Firefox-Windows-64-Bit-Chain-Exploit.html
🔗 https://bugzilla.mozilla.org/show_bug.cgi?id=1559858
🔗 https://security.gentoo.org/glsa/201908-12
🔗 https://www.mozilla.org/security/advisories/mfsa2019-19/
🔗 https://www.mozilla.org/security/advisories/mfsa2019-20/
🔗 http://packetstormsecurity.com/files/155592/Mozilla-Firefox-Windows-64-Bit-Chain-Exploit.html
🔗 https://bugzilla.mozilla.org/show_bug.cgi?id=1559858
🔗 https://security.gentoo.org/glsa/201908-12

関連する脆弱性情報

CVE-2019-2513610.0

A compromised child process could have injected XBL Bindings into privileged CSS rules, resulting in arbitrary code execution and ...

CVE-2020-1238810.0

The Firefox content processes did not sufficiently lockdown access control which could result in a sandbox escape. *Note: this iss...

CVE-2018-1850510.0

An earlier fix for an Inter-process Communication (IPC) vulnerability, CVE-2011-3079, added authentication to communication betwee...

CVE-2020-1238910.0

The Firefox content processes did not sufficiently lockdown access control which could result in a sandbox escape. *Note: this iss...