CVE-2019-11708: Mozilla Firefox and Thunderbird Sandbox Escape Vulnerability
First published: Thu Jun 20 2019(Updated: )
Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the non-sandboxed parent process opening web content chosen by a compromised child process. When combined with additional vulnerabilities this could result in executing arbitrary code on the user's computer.
Credit: security@mozilla.org security@mozilla.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Mozilla Thunderbird | <60.7.2 | 60.7.2 |
| Mozilla Firefox | <67.0.4 | 67.0.4 |
| Mozilla Firefox ESR | <60.7.2 | 60.7.2 |
| Mozilla Firefox | <67.0.4 | |
| Mozilla Firefox ESR | <60.7.2 | |
| Mozilla Thunderbird | <60.7.2 | |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.mozilla.org/show_bug.cgi?id=1559858
- https://www.mozilla.org/en-US/security/advisories/mfsa2019-20/
- https://www.mozilla.org/en-US/security/advisories/mfsa2019-19/
- http://packetstormsecurity.com/files/155592/Mozilla-Firefox-Windows-64-Bit-Chain-Exploit.html
- https://security.gentoo.org/glsa/201908-12
- https://www.mozilla.org/security/advisories/mfsa2019-19/
- https://www.mozilla.org/security/advisories/mfsa2019-20/
- https://nvd.nist.gov/vuln/detail/CVE-2019-11708
Frequently Asked Questions
What is CVE-2019-11708?
CVE-2019-11708 is a vulnerability in Mozilla Firefox and Thunderbird that allows a compromised child process to open web content chosen by the non-sandboxed parent process.
How severe is CVE-2019-11708?
CVE-2019-11708 has a severity rating of critical.
How does CVE-2019-11708 impact Mozilla Firefox?
CVE-2019-11708 affects Mozilla Firefox versions up to and including 67.0.4.
How does CVE-2019-11708 impact Mozilla Firefox ESR?
CVE-2019-11708 affects Mozilla Firefox ESR versions up to and including 60.7.2.
How does CVE-2019-11708 impact Mozilla Thunderbird?
CVE-2019-11708 affects Mozilla Thunderbird versions up to and including 60.7.2.
Are there any remedies available for CVE-2019-11708?
Yes, updating to Mozilla Firefox version 67.0.4 or Mozilla Firefox ESR version 60.7.2 will fix the vulnerability.
Where can I find more information about CVE-2019-11708?
You can find more information about CVE-2019-11708 at the following references: 1. [Bugzilla - Mozilla](https://bugzilla.mozilla.org/show_bug.cgi?id=1559858) 2. [Mozilla Security Advisory - MFSA2019-19](https://www.mozilla.org/en-US/security/advisories/mfsa2019-19/) 3. [Mozilla Security Advisory - MFSA2019-20](https://www.mozilla.org/en-US/security/advisories/mfsa2019-20/)
- agent/type
- agent/first-publish-date
- agent/weakness
- agent/title
- collector/mozilla-advisory
- source/Mozilla
- agent/software-canonical-lookup
- agent/description
- agent/software-canonical-lookup-request
- collector/nvd-index
- collector/nvd-api
- source/NVD
- agent/severity
- agent/author
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- exploited/true
- collector/cisa-known-exploited
- source/CISA
- agent/references
- agent/softwarecombine
- agent/event
- agent/tags
- collector/nvd-cve
- vendor/mozilla
- canonical/mozilla thunderbird
- canonical/mozilla firefox
- canonical/mozilla firefox esr
- canonical/mozilla firefox and thunderbird