VDB
DEBIAN-CVE-2019-11707
DEBIAN-CVE-2019-11707
PUBLISHED
CVSS 8.800000190734863 HIGH
A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw. This vulnerability affects Firefox ESR < 60.7.1, Firefox < 67.0.3, and Thunderbird < 60.7.2.
Risk Scores
CVSS 3.1
8.800000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian:13 | firefox-esr | 0, 0, 0 |
| Debian:13 | thunderbird | 0, 0, 0 |
| Debian:11 | firefox-esr | 0, 0, 0 |
| Debian:12 | firefox-esr | 0, 0, 0 |
| Debian:14 | thunderbird | 0, 0, 0 |
| Debian:14 | firefox-esr | 0, 0, 0 |
| Debian:12 | thunderbird | 0, 0, 0 |
| Debian:11 | thunderbird | 0, 0, 0 |
Exploit Intelligence
- Proof of concept for CVE-2019-11707 (github-poc-repo)
- Proof of concept for CVE-2019-11707 (github-poc)
- https://bugs.chromium.org/p/project-zero/issues/detail?id=1820 (github-poc)
- Exploit code for CVE-2019-11707 on Firefox 66.0.3 running on Ubuntu (github-poc)
- kev.json (github-poc)
- data.js (github-poc)
Timeline
- Jul 23, 2019 CVE Published
- Apr 28, 2026 CVE Updated