CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS
Percentile
90.4%
Severity: High
Date : 2019-06-25
CVE-ID : CVE-2019-11708
Package : firefox
Type : sandbox escape
Remote : Yes
Link : https://security.archlinux.org/AVG-997
The package firefox before version 67.0.4-1 is vulnerable to sandbox
escape.
Upgrade to 67.0.4-1.
The problem has been fixed upstream in version 67.0.4.
None.
An issue has been found in Firefox before 67.0.4, where an insufficient
vetting of parameters passed with the Prompt:Open IPC message between
child and parent processes can result in the non-sandboxed parent
process opening web content chosen by a compromised child process. When
combined with additional vulnerabilities this could result in executing
arbitrary code on the user’s computer.
An attacker could use this vulnerability, combined with another one, to
bypass the sandbox and execute arbitrary code on the host.
https://www.mozilla.org/en-US/security/advisories/mfsa2019-19/#CVE-2019-11708
https://bugzilla.mozilla.org/show_bug.cgi?id=1559858
https://security.archlinux.org/CVE-2019-11708
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS
Percentile
90.4%