CVE-2019-11708

ENISA EUVD: EUVD-2019-3378 ↗
Exploited in the Wild ✓ Confirmed 0-Day ★ Google Project Zero
Triaged: March 5, 2026 Published: 2019-07-23
VulnLookup ↗ NVD ↗ EUVD ↗ MITRE ↗ Advisory ↗ P0 Sheet ↗ CISA KEV ↗

EPSS Score

Source: FIRST.org · 2026-05-23
68.13%
probability
This CVE has a 68.13% probability of being exploited in the next 30 days.
0% Top 98.6th percentile of all CVEs 100%

CVSS v3.1

Source: VulnerabilityLookup (CIRCL)
10
CRITICAL
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVSS v2 (legacy)

10.0
HIGH
Access Vector
Network
Access Complexity
Low
Authentication
None
Confidentiality
Complete
Integrity
Complete
Availability
Complete
AV:N/AC:L/Au:N/C:C/I:C/A:C

Description

VulnerabilityLookup (CNA)
Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the non-sandboxed parent process opening web content chosen by a compromised child process. When combined with additional vulnerabilities this could result in executing arbitrary code on the user's computer. This vulnerability affects Firefox ESR < 60.7.2, Firefox < 67.0.4, and Thunderbird < 60.7.2.

Affected Products

Mozilla
Firefox ESR
unspecified
Mozilla
Firefox
unspecified
Mozilla
Thunderbird
unspecified

Attack Intelligence

Google Project Zero

Patched
June 20, 2019
Reported by
Coinbase Security
Root Cause Analysis
???

Exploits & PoC

0vercl0k/CVE-2019-11708

Full exploit chain (CVE-2019-11708 & CVE-2019-9810) against Firefox on Windows 64-bit.

624 2020-06-13
1 repo — triés par ⭐ Rechercher sur GitHub ↗

Signal Intelligence

Confidence
95%
EPSS 68.13%
CVSS v3.1 10
Mentions 0

CNA Information

CNA Assigner
mozilla

Analyst Note

Auto-imported from Google Project Zero — confirmed zero-day by definition.

Triage Info

Decided atMar 05, 2026
Published DateJul 23, 2019