CVE-2019-11707

Warning

EPSS 81.06%
Published 23.07.2019 14:15:15
Last modified 03.04.2025 21:03:18
Source security@mozilla.org
Teams watchlist Login
Open Login

A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw. This vulnerability affects Firefox ESR < 60.7.1, Firefox < 67.0.3, and Thunderbird < 60.7.2.

Affected products Warnungen 1 Metrics 4 CWE 1 References 7

Data is provided by the National Vulnerability Database (NVD)

Mozilla ≫ Firefox SwEditionesr Version < 60.7.1

Mozilla ≫ Firefox Version < 60.7.3

Mozilla ≫ Thunderbird Version < 60.7.2

23.05.2022: CISA Known Exploited Vulnerabilities (KEV) Catalog

Mozilla Firefox and Thunderbird Type Confusion Vulnerability

Vulnerability

Mozilla Firefox and Thunderbird contain a type confusion vulnerability that can occur when manipulating JavaScript objects due to issues in Array.pop, allowing for an exploitable crash.

Description

Apply updates per vendor instructions.

Required actions

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	81.06%	0.991

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvd@nist.gov	7.5	10	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P
134c704f-9b21-4f2e-91b3-4a467353bcc0	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE-843 Access of Resource Using Incompatible Type ('Type Confusion')

The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.

https://bugzilla.mozilla.org/show_bug.cgi?id=1544386

Vendor Advisory

Issue Tracking

Permissions Required

https://security.gentoo.org/glsa/201908-12

Third Party Advisory

https://www.mozilla.org/security/advisories/mfsa2019-18/

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2019-20/

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2019-11707

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2019-11707

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2019-11707

EUVD