CVE-2019-11708

Name: CVE-2019-11708
Creator: NVD / NIST
Published: 2019-07-23T14:15:15.327+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

CRITICALCVSS 10/10Actively ExploitedEPSS 55.87%

Last modified Jun 17, 2026

CVE-2019-11708 is a critical-severity vulnerability rated 10/10 on the CVSS scale. Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the non-sandboxed parent process opening web content chosen by a compromised child process. When combined with additional vulnerabilities this could result in executing arbitrary code on the user's computer. CISA has confirmed active exploitation in the wild. EPSS estimates a 55.87% chance of exploitation in the next 30 days.

Description

Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the non-sandboxed parent process opening web content chosen by a compromised child process. When combined with additional vulnerabilities this could result in executing arbitrary code on the user's computer. This vulnerability affects Firefox ESR < 60.7.2, Firefox < 67.0.4, and Thunderbird < 60.7.2.

Metrics

CVSS 3.1

10/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Probability

55.87%

98.9th percentile

Probability of exploitation in the next 30 days. Learn more

Exploitation Status

This vulnerability is listed in CISA’s Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild. Federal agencies must remediate by Jun 13, 2022.

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Mozilla	Firefox	< 60.7.2
Mozilla	Firefox	< 67.0.4
Mozilla	Thunderbird	< 60.7.2

References

http://packetstormsecurity.com/files/155592/Mozilla-Firefox-Windows-64-Bit-Chain-Exploit.htmlThird Party Advisory, VDB Entry
https://bugzilla.mozilla.org/show_bug.cgi?id=1559858Issue Tracking, Vendor Advisory
https://security.gentoo.org/glsa/201908-12Third Party Advisory
https://www.mozilla.org/security/advisories/mfsa2019-19/Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2019-20/Vendor Advisory
http://packetstormsecurity.com/files/155592/Mozilla-Firefox-Windows-64-Bit-Chain-Exploit.htmlThird Party Advisory, VDB Entry
https://bugzilla.mozilla.org/show_bug.cgi?id=1559858Issue Tracking, Vendor Advisory
https://security.gentoo.org/glsa/201908-12Third Party Advisory
https://www.mozilla.org/security/advisories/mfsa2019-19/Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2019-20/Vendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-11708US Government Resource

Timeline

Published: Jul 23, 2019
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2019-11708?

How severe is CVE-2019-11708?

CVE-2019-11708 has a CVSS score of 10/10 (CRITICAL severity). The EPSS model estimates a 55.87% probability of exploitation in the next 30 days. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.

How do I fix CVE-2019-11708?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2019-11708?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST