VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-pjt5-ctch-xfes

Essentials
Severities (36)
References (28)
Severity details (16)
Exploits (2)
EPSS
History (1)

Vulnerability ID	VCID-pjt5-ctch-xfes
Aliases	CVE-2019-11708
Summary	Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the non-sandboxed parent process opening web content chosen by a compromised child process. When combined with additional vulnerabilities this could result in executing arbitrary code on the user's computer.
Status	Published
Exploitability	2.0
Weighted Severity	9.0
Risk	10.0
Affected and Fixed Packages	Package Details

Weaknesses (2)

CWE-20	Improper Input Validation
CWE-270	Privilege Context Switching Error

System	Score	Found at
cvssv3.1	10.0	http://packetstormsecurity.com/files/155592/Mozilla-Firefox-Windows-64-Bit-Chain-Exploit.html
ssvc	Attend	http://packetstormsecurity.com/files/155592/Mozilla-Firefox-Windows-64-Bit-Chain-Exploit.html
cvssv3	10.0	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-11708.json
epss	0.50789	https://api.first.org/data/v1/epss?cve=CVE-2019-11708
epss	0.50789	https://api.first.org/data/v1/epss?cve=CVE-2019-11708
epss	0.50789	https://api.first.org/data/v1/epss?cve=CVE-2019-11708
epss	0.53987	https://api.first.org/data/v1/epss?cve=CVE-2019-11708
epss	0.53987	https://api.first.org/data/v1/epss?cve=CVE-2019-11708
epss	0.53987	https://api.first.org/data/v1/epss?cve=CVE-2019-11708
epss	0.53987	https://api.first.org/data/v1/epss?cve=CVE-2019-11708
epss	0.53987	https://api.first.org/data/v1/epss?cve=CVE-2019-11708
epss	0.53987	https://api.first.org/data/v1/epss?cve=CVE-2019-11708
epss	0.53987	https://api.first.org/data/v1/epss?cve=CVE-2019-11708
epss	0.53987	https://api.first.org/data/v1/epss?cve=CVE-2019-11708
epss	0.53987	https://api.first.org/data/v1/epss?cve=CVE-2019-11708
epss	0.53987	https://api.first.org/data/v1/epss?cve=CVE-2019-11708
epss	0.53987	https://api.first.org/data/v1/epss?cve=CVE-2019-11708
epss	0.53987	https://api.first.org/data/v1/epss?cve=CVE-2019-11708
epss	0.53987	https://api.first.org/data/v1/epss?cve=CVE-2019-11708
epss	0.53987	https://api.first.org/data/v1/epss?cve=CVE-2019-11708
epss	0.53987	https://api.first.org/data/v1/epss?cve=CVE-2019-11708
epss	0.53987	https://api.first.org/data/v1/epss?cve=CVE-2019-11708
epss	0.53987	https://api.first.org/data/v1/epss?cve=CVE-2019-11708
cvssv3.1	10.0	https://bugzilla.mozilla.org/show_bug.cgi?id=1559858
ssvc	Attend	https://bugzilla.mozilla.org/show_bug.cgi?id=1559858
cvssv2	10.0	https://nvd.nist.gov/vuln/detail/CVE-2019-11708
cvssv3.1	10.0	https://nvd.nist.gov/vuln/detail/CVE-2019-11708
archlinux	High	https://security.archlinux.org/AVG-997
cvssv3.1	10.0	https://security.gentoo.org/glsa/201908-12
ssvc	Attend	https://security.gentoo.org/glsa/201908-12
generic_textual	high	https://www.mozilla.org/en-US/security/advisories/mfsa2019-19
generic_textual	high	https://www.mozilla.org/en-US/security/advisories/mfsa2019-20
cvssv3.1	10.0	https://www.mozilla.org/security/advisories/mfsa2019-19/
ssvc	Attend	https://www.mozilla.org/security/advisories/mfsa2019-19/
cvssv3.1	10.0	https://www.mozilla.org/security/advisories/mfsa2019-20/
ssvc	Attend	https://www.mozilla.org/security/advisories/mfsa2019-20/

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-11708.json
		https://api.first.org/data/v1/epss?cve=CVE-2019-11708
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11707
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11708
1722673		https://bugzilla.redhat.com/show_bug.cgi?id=1722673
201908-12		https://security.gentoo.org/glsa/201908-12
ASA-201906-20		https://security.archlinux.org/ASA-201906-20
AVG-997		https://security.archlinux.org/AVG-997
cpe:2.3:a:mozilla:firefox::::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:mozilla:firefox::::::::
cpe:2.3:a:mozilla:firefox_esr::::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:mozilla:firefox_esr::::::::
cpe:2.3:a:mozilla:thunderbird::::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:mozilla:thunderbird::::::::
CVE-2019-11708		https://nvd.nist.gov/vuln/detail/CVE-2019-11708
CVE-2019-9810;CVE-2019-11708	Exploit	https://github.com/0vercl0k/CVE-2019-11708/tree/1cdf26140f17de8a620e90f4f6ea3865e18e49ad
CVE-2019-9810;CVE-2019-11708	Exploit	https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/windows_x86-64/local/47752.js
mfsa2019-19		https://www.mozilla.org/en-US/security/advisories/mfsa2019-19
mfsa2019-19		https://www.mozilla.org/security/advisories/mfsa2019-19/
mfsa2019-20		https://www.mozilla.org/en-US/security/advisories/mfsa2019-20
mfsa2019-20		https://www.mozilla.org/security/advisories/mfsa2019-20/
Mozilla-Firefox-Windows-64-Bit-Chain-Exploit.html		http://packetstormsecurity.com/files/155592/Mozilla-Firefox-Windows-64-Bit-Chain-Exploit.html
RHSA-2019:1603		https://access.redhat.com/errata/RHSA-2019:1603
RHSA-2019:1604		https://access.redhat.com/errata/RHSA-2019:1604
RHSA-2019:1623		https://access.redhat.com/errata/RHSA-2019:1623
RHSA-2019:1624		https://access.redhat.com/errata/RHSA-2019:1624
RHSA-2019:1626		https://access.redhat.com/errata/RHSA-2019:1626
RHSA-2019:1696		https://access.redhat.com/errata/RHSA-2019:1696
show_bug.cgi?id=1559858		https://bugzilla.mozilla.org/show_bug.cgi?id=1559858
USN-4032-1		https://usn.ubuntu.com/4032-1/
USN-4045-1		https://usn.ubuntu.com/4045-1/

Data source	Exploit-DB
Date added	Dec. 9, 2019
Description	Mozilla FireFox (Windows 10 x64) - Full Chain Client Side Attack
Ransomware campaign use	Unknown
Source publication date	Dec. 7, 2019
Exploit type	local
Platform	windows_x86-64
Source update date	Dec. 9, 2019
Source URL	https://github.com/0vercl0k/CVE-2019-11708/tree/1cdf26140f17de8a620e90f4f6ea3865e18e49ad

Data source	KEV
Date added	May 23, 2022
Description	Mozilla Firefox and Thunderbird contain a sandbox escape vulnerability that could result in remote code execution.
Required action	Apply updates per vendor instructions.
Due date	June 13, 2022
Note	https://nvd.nist.gov/vuln/detail/CVE-2019-11708
Ransomware campaign use	Unknown

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Found at http://packetstormsecurity.com/files/155592/Mozilla-Firefox-Windows-64-Bit-Chain-Exploit.html

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-07T12:50:03Z/ Found at http://packetstormsecurity.com/files/155592/Mozilla-Firefox-Windows-64-Bit-Chain-Exploit.html

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-11708.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Found at https://bugzilla.mozilla.org/show_bug.cgi?id=1559858

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-07T12:50:03Z/ Found at https://bugzilla.mozilla.org/show_bug.cgi?id=1559858

Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C Found at https://nvd.nist.gov/vuln/detail/CVE-2019-11708

Exploitability (E)	Access Vector (AV)	Access Complexity (AC)	Authentication (Au)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
high functional unproven proof_of_concept not_defined	local adjacent_network network	high medium low	multiple single none	none partial complete	none partial complete	none partial complete

Exploitability (E)

Access Vector (AV)

Access Complexity (AC)

Authentication (Au)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

partial

complete

none

partial

complete

none

partial

complete

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2019-11708

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Found at https://security.gentoo.org/glsa/201908-12

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-07T12:50:03Z/ Found at https://security.gentoo.org/glsa/201908-12

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Found at https://www.mozilla.org/security/advisories/mfsa2019-19/

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-07T12:50:03Z/ Found at https://www.mozilla.org/security/advisories/mfsa2019-19/

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Found at https://www.mozilla.org/security/advisories/mfsa2019-20/

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-07T12:50:03Z/ Found at https://www.mozilla.org/security/advisories/mfsa2019-20/

Exploit Prediction Scoring System (EPSS)

Percentile	0.97784
EPSS Score	0.50789
Published At	Sept. 20, 2025, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2025-07-31T08:09:59.844757+00:00	Mozilla Importer	Import	https://github.com/mozilla/foundation-security-advisories/blob/master/announce/2019/mfsa2019-20.yml	37.0.0