Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
757
VMScore

CVE-2019-11707

Published: 23/07/2019 Updated: 31/01/2023
CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10
CVSS v3 Base Score: 8.8 | Impact Score: 5.9 | Exploitability Score: 2.8
VMScore: 757
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Subscribe to Mozilla

Vulnerability Summary

A type confusion bug exists in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could exploit this by causing a denial of service, or executing arbitrary code.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

mozilla thunderbird

mozilla firefox esr

mozilla firefox

Vendor Advisories

Red Hat: Important: thunderbird security update
Synopsis Important: thunderbird security update Type/Severity Security Advisory: Important Topic An update for thunderbird is now available for Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) bas ...
Red Hat: Important: thunderbird security update
Synopsis Important: thunderbird security update Type/Severity Security Advisory: Important Topic An update for thunderbird is now available for Red Hat Enterprise Linux 6Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) bas ...
Red Hat: Important: thunderbird security update
Synopsis Important: thunderbird security update Type/Severity Security Advisory: Important Topic An update for thunderbird is now available for Red Hat Enterprise Linux 8Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) bas ...
Red Hat: Critical: firefox security update
Synopsis Critical: firefox security update Type/Severity Security Advisory: Critical Topic An update for firefox is now available for Red Hat Enterprise Linux 8Red Hat Product Security has rated this update as having a security impact of Critical A Common Vulnerability Scoring System (CVSS) base score, wh ...
Ubuntu Security Notice: firefox vulnerability
Firefox could be made to crash or run programs as your login if it opened a malicious website ...
Ubuntu Security Notice: thunderbird vulnerabilities
Several security issues were fixed in Thunderbird ...
Debian Security Advisories: DSA-4466-1 firefox-esr -- security update
Samuel Gross discovered a type confusion bug in the JavaScript engine of the Mozilla Firefox web browser, which could result in the execution of arbitrary code when browsing a malicious website For the stable distribution (stretch), this problem has been fixed in version 6071esr-1~deb9u1 We recommend that you upgrade your firefox-esr packages ...
Debian Security Advisories: DSA-4471-1 thunderbird -- security update
Multiple security issues have been found in Thunderbird which may lead to the execution of arbitrary code if malformed email messages are read For the stable distribution (stretch), these problems have been fixed in version 1:6072-1~deb9u1 We recommend that you upgrade your thunderbird packages For the detailed security status of thunderbird p ...
Amazon Linux 2: ALAS2-2019-1250
libical: Heap buffer over read in icalparserc parser_get_next_char (CVE-2019-11703) libical: Type confusion in icaltimezone_get_vtimezone_properties function in icalpropertyc (CVE-2019-11706) Mozilla: Sandbox escape using Prompt:Open (CVE-2019-11708) libical: Stack buffer overflow in icalrecur_add_bydayrules in icalrecurc (CVE-2019-11705) libica ...
Arch Linux Issues:
A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Arraypop, in Firefox before 6703 This can allow for an exploitable crash Mozilla has been made aware of targeted attacks in the wild abusing this flaw ...
Mozilla: Security vulnerabilities fixed in Firefox 67.0.3 and Firefox ESR 60.7.1
Mozilla Foundation Security Advisory 2019-18 Security vulnerabilities fixed in Firefox 6703 and Firefox ESR 6071 Announced June 18, 2019 Impact critical Products Firefox, Firefox ESR Fixed in Firefox ...
Mozilla: Security vulnerabilities fixed in Thunderbird 60.7.2
Mozilla Foundation Security Advisory 2019-20 Security vulnerabilities fixed in Thunderbird 6072 Announced June 20, 2019 Impact high Products Thunderbird Fixed in Thunderbird 6072 ...

Exploits

Exploit DB: Mozilla Spidermonkey - IonMonkey 'Array.prototype.pop' Type Confusion
The following program (found through fuzzing and manually modified) crashes Spidermonkey built from the current beta channel and Firefox 6603 (current stable): // Run with --no-threads for increased reliability const v4 = [{a: 0}, {a: 1}, {a: 2}, {a: 3}, {a: 4}]; function v7(v8,v9) { if (v4length == 0) { v4[3] = ...
Exploit DB: Mozilla Firefox 67 Array.pop JIT Type Confusion
Mozilla Firefox version 67 Arraypop JIT type confusion exploit with sandbox escape ...
Exploit DB: Spidermonkey IonMonkey Incorrect Prediction
Spidermonkey IonMonkey incorrectly predicts return type of Arrayprototypepop, leading to type confusion vulnerabilities ...

Github Repositories

https://github.com/mgarcia10723/Module-1-Challenge

Submitting a text entry box or a website url

COINBASE HOW COINBASE BECAME THE LEADING CRYPTOCURRENCY APP IN THE USA Coinbase Global, Inc, branded Coinbase is an American publicly traded company that operates a cryptocurrency exchange platform The company was founded in 2012 and it's headquarters were based in San Francisco, California until May 2020 when the company decided to move to a remote-first working enviro

https://github.com/vigneshsrao/CVE-2019-11707

Exploit code for CVE-2019-11707 on Firefox 66.0.3 running on Ubuntu

Exploit code for CVE-2019-11707 Full write-up can be found here

https://github.com/securesystemslab/PKRU-Safe

PKRU-Safe PKRU-Safe is a new system that uses an MPK aware allocator and set of compiler extensions to protect data exclusively used by Rust code from abuse by memory unsafe legacy components This is the main repository for the PKRU-Safe project It contains PKRU-Safe instrumentation, a modified Rust compiler, a modified LLVM compiler, test programs, automation scripts, and do

https://github.com/p0rkan0x/Browser-Exploitation

BROWSER EXPLOITATION MATERIALS #Basics v8 engine docs #Write Ups attacking javascript engines Browser Exploitation CVE-2019-11707

https://github.com/securesystemslab/pkru-safe-cve-html

CVE vulnerability mentioned in PKRU-Safe.

SpiderMonkey CVE-2019-11707 A simple html page with the exploit from CVE-2019-11707 for testing with PKRU-Safe Servo

https://github.com/tunnelshade/cve-2019-11707

https://bugs.chromium.org/p/project-zero/issues/detail?id=1820

SpiderMonkey - CVE-2019-11707 Bug: bugschromiumorg/p/project-zero/issues/detail?id=1820 Screenshots Files exploitjs - Actual exploit, prepended by saelo's utiljs & Int64js stagerjs - Used for creating constants, prepended by saelo's utiljs & Int64js stagerpy - Used to assemble instructions using keystone Output is fed to stagerj

Recent Articles

IT threat evolution Q2 2019. Statistics
Securelist • Victor Chebyshev Fedor Sinitsyn Denis Parinov Boris Larin Oleg Kupreev Evgeny Lopatin • 19 Aug 2019

These statistics are based on detection verdicts of Kaspersky products received from users who consented to provide statistical data. According to Kaspersky Security Network, Q2 2019 will be remembered for several events. First, we uncovered a large-scale financial threat by the name of Riltok, which targeted clients of not only major Russian banks, but some foreign ones too. Second, we detected the new Trojan.AndroidOS.MobOk malware, tasked with stealing money from mobile accounts through explo...

Read more...
Digi-dosh exchange Coinbase: Someone tried to pwn our staff via this week's Firefox zero-day security hole
The Register • Shaun Nichols in San Francisco • 20 Jun 2019

Patch released after crypto-currency biz sounded alarm

The development and release of a critical Firefox security patch this week was, in part, triggered by an attempted cyber-heist of crypto-coin exchange Coinbase. Coinbase chief information security officer Philip Martin said on Wednesday night the digital-dosh trading site was one of the prime targets of hackers, who tried to exploit a zero-day vulnerability, CVE-2019-11707, a JavaScript type-confusion flaw in Firefox, to execute malicious code on Coinbase staff machines. Coinbase, along with Pro...

Read more...
Awoogah! Awoogah! Firefox fans urged to update and patch zero-day hole exploited in the wild by miscreants
The Register • Shaun Nichols in San Francisco • 18 Jun 2019

Just make sure you're running the latest version

Mozilla has released an emergency critical update for Firefox to squash a zero-day vulnerability that is under active attack. The Firefox 67.0.3 and ESR 60.7.1 builds include a patch for CVE-2019-11707. The vulnerability is a type confusion bug in the way Firefox handles JavaScript objects in Array.pop. By manipulating the object in the array, malicious JavaScript on a webpage could get the ability to remotely execute code without any user interaction. This is a bad thing. What's worse, Mozilla ...

Read more...

References

CWE-843https://www.mozilla.org/security/advisories/mfsa2019-20/https://www.mozilla.org/security/advisories/mfsa2019-18/https://bugzilla.mozilla.org/show_bug.cgi?id=1544386https://security.gentoo.org/glsa/201908-12https://nvd.nist.govhttps://access.redhat.com/errata/RHSA-2019:1626https://usn.ubuntu.com/4020-1/https://www.exploit-db.com/exploits/47038
VMScore
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-30924CVE-2024-3400overflowCVE-2024-23528CVE-2024-21338CVE-2024-3818CVE-2024-23535NULL pointer dereferenceelevation of privilege
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook