{"api_version":"1","generated_at":"2026-04-23T03:25:18+00:00","cve":"CVE-2019-11707","urls":{"html":"https://cve.report/CVE-2019-11707","api":"https://cve.report/api/cve/CVE-2019-11707.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2019-11707","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2019-11707"},"summary":{"title":"CVE-2019-11707","description":"A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw. This vulnerability affects Firefox ESR < 60.7.1, Firefox < 67.0.3, and Thunderbird < 60.7.2.","state":"PUBLIC","assigner":"security@mozilla.org","published_at":"2019-07-23 14:15:00","updated_at":"2023-01-31 14:15:00"},"problem_types":["CWE-843"],"metrics":[],"references":[{"url":"https://www.mozilla.org/security/advisories/mfsa2019-20/","name":"https://www.mozilla.org/security/advisories/mfsa2019-20/","refsource":"MISC","tags":["Vendor Advisory"],"title":"Security vulnerabilities fixed in Thunderbird 60.7.2 — Mozilla","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.mozilla.org/security/advisories/mfsa2019-18/","name":"https://www.mozilla.org/security/advisories/mfsa2019-18/","refsource":"MISC","tags":["Vendor Advisory"],"title":"Security vulnerabilities fixed in Firefox 67.0.3 and Firefox ESR 60.7.1 — Mozilla","mime":"text/html","httpstatus":"-1","archivestatus":"200"},{"url":"https://security.gentoo.org/glsa/201908-12","name":"GLSA-201908-12","refsource":"GENTOO","tags":[],"title":"Mozilla Firefox: Multiple vulnerabilities (GLSA 201908-12) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://bugzilla.mozilla.org/show_bug.cgi?id=1544386","name":"https://bugzilla.mozilla.org/show_bug.cgi?id=1544386","refsource":"MISC","tags":["Issue Tracking","Permissions Required","Vendor Advisory"],"title":"Access Denied","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2019-11707","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-11707","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2019","cve_id":"11707","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"firefox","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"11707","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"firefox","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"11707","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"firefox_esr","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"11707","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"firefox_esr","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"11707","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"thunderbird","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"11707","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"thunderbird","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":{"cve_year":"2019","cve_id":"11707","cve":"CVE-2019-11707","vendorProject":"Mozilla","product":"Firefox and Thunderbird","vulnerabilityName":"Mozilla Firefox and Thunderbird Type Confusion Vulnerability","dateAdded":"2022-05-23","shortDescription":"Mozilla Firefox and Thunderbird contain a type confusion vulnerability that can occur when manipulating JavaScript objects due to issues in Array.pop, allowing for an exploitable crash.","requiredAction":"Apply updates per vendor instructions.","dueDate":"2022-06-13","knownRansomwareCampaignUse":"Unknown","notes":"https://nvd.nist.gov/vuln/detail/CVE-2019-11707","cwes":"CWE-843","catalogVersion":"2026.04.22","updated_at":"2026-04-22 20:03:10"},"epss":{"cve_year":"2019","cve_id":"11707","cve":"CVE-2019-11707","epss":"0.844280000","percentile":"0.993290000","score_date":"2026-04-22","updated_at":"2026-04-23 00:03:16"},"legacy_qids":[{"cve":"CVE-2019-11707","qid":"500412","title":"Alpine Linux Security Update for mozjs60"},{"cve":"CVE-2019-11707","qid":"500917","title":"Alpine Linux Security Update for firefox-esr"},{"cve":"CVE-2019-11707","qid":"501201","title":"Alpine Linux Security Update for mozjs68"},{"cve":"CVE-2019-11707","qid":"504782","title":"Alpine Linux Security Update for firefox-esr"},{"cve":"CVE-2019-11707","qid":"673432","title":"EulerOS Security Update for mozjs60 (EulerOS-SA-2024-1201)"},{"cve":"CVE-2019-11707","qid":"673588","title":"EulerOS Security Update for mozjs60 (EulerOS-SA-2024-1319)"},{"cve":"CVE-2019-11707","qid":"673812","title":"EulerOS Security Update for mozjs60 (EulerOS-SA-2024-1181)"},{"cve":"CVE-2019-11707","qid":"674109","title":"EulerOS Security Update for mozjs60 (EulerOS-SA-2024-1341)"},{"cve":"CVE-2019-11707","qid":"690682","title":"Free Berkeley Software Distribution (FreeBSD) Security Update for mozilla (0cea6e0a-7a39-4dac-b3ec-dbc13d404f76)"},{"cve":"CVE-2019-11707","qid":"710148","title":"Gentoo Linux Mozilla Firefox Multiple vulnerabilities (GLSA 201908-12)"}]},"source_records":{"cve_program":{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ID":"CVE-2019-11707","ASSIGNER":"security@mozilla.org","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"vendor_name":"Mozilla","product":{"product_data":[{"product_name":"Firefox ESR","version":{"version_data":[{"version_value":"60.7.1","version_affected":"<"}]}},{"product_name":"Firefox","version":{"version_data":[{"version_value":"67.0.3","version_affected":"<"}]}},{"product_name":"Thunderbird","version":{"version_data":[{"version_value":"60.7.2","version_affected":"<"}]}}]}}]}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Type confusion in Array.pop"}]}]},"references":{"reference_data":[{"url":"https://www.mozilla.org/security/advisories/mfsa2019-20/","refsource":"MISC","name":"https://www.mozilla.org/security/advisories/mfsa2019-20/"},{"url":"https://www.mozilla.org/security/advisories/mfsa2019-18/","refsource":"MISC","name":"https://www.mozilla.org/security/advisories/mfsa2019-18/"},{"url":"https://bugzilla.mozilla.org/show_bug.cgi?id=1544386","refsource":"MISC","name":"https://bugzilla.mozilla.org/show_bug.cgi?id=1544386"},{"refsource":"GENTOO","name":"GLSA-201908-12","url":"https://security.gentoo.org/glsa/201908-12"}]},"description":{"description_data":[{"lang":"eng","value":"A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw. This vulnerability affects Firefox ESR < 60.7.1, Firefox < 67.0.3, and Thunderbird < 60.7.2."}]}},"nvd":{"publishedDate":"2019-07-23 14:15:00","lastModifiedDate":"2023-01-31 14:15:00","problem_types":["CWE-843"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:P/A:P","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":7.5},"severity":"HIGH","exploitabilityScore":10,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*","versionEndExcluding":"60.7.2","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*","versionEndExcluding":"60.7.1","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*","versionEndExcluding":"60.7.3","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2019","CveId":"11707","Ordinal":"150029","Title":"CVE-2019-11707","CVE":"CVE-2019-11707","Year":"2019"},"notes":[{"CveYear":"2019","CveId":"11707","Ordinal":"1","NoteData":"A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw. This vulnerability affects Firefox ESR < 60.7.1, Firefox < 67.0.3, and Thunderbird < 60.7.2.","Type":"Description","Title":null},{"CveYear":"2019","CveId":"11707","Ordinal":"2","NoteData":"2019-07-23","Type":"Other","Title":"Published"},{"CveYear":"2019","CveId":"11707","Ordinal":"3","NoteData":"2019-08-15","Type":"Other","Title":"Modified"}]}}}