CVE-2019-11707

HIGH8.8⚠ KEVEPSS 84.3%

thunderbird - security update

Published: 7/23/2019Modified: 11/19/2025Added to CISA KEV: 5/23/2022

Also known as:ALPINE-CVE-2019-11707DEBIAN-CVE-2019-11707

Description

A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw. This vulnerability affects Firefox ESR < 60.7.1, Firefox < 67.0.3, and Thunderbird < 60.7.2.

Affected packages (7)

Alpine/mozjs60from 0, < 60.7.2-r0
Debian/firefox-esrfrom 0, < 60.7.1esr-1
Debian/firefox-esrfrom 0, < 60.7.1esr-1~deb8u1
Debian/firefox-esrfrom 0, < 60.7.1esr-1~deb9u1
Debian/thunderbirdfrom 0, < 1:60.7.2-1~deb8u1
Debian/thunderbirdfrom 0, < 1:60.7.2-1~deb9u1
Debian/thunderbirdfrom 0, < 1:60.7.2-1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References (2)

ADVISORYhttps://security.alpinelinux.org/vuln/CVE-2019-11707
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2019-11707