CVE-2019-1429

High · CVSS 7.5EPSS 72.6%CISA KEVCWE-416 · Use After Free

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-1426, CVE-2019-1427, CVE-2019-1428.

References

NVD MITRE CVE.org CISA KEV

Published Nov 12, 2019

Community ground truth

Community verdict

4 verdicts

Not a real issue

Includes TruePositive's curated baseline from public sources — community verdicts accrue on top.

to add your verdict.

Community real-world severity: High (High 2 · Medium 1) — CVSS base score 7.5

In line with its CVSS base score.

Field notes & remediation

Verdicts are the quick signal — notes are the evidence and fixes behind them.

0
Field note · Tomáš NovákCurated
Memory corruption in the IE scripting engine, reachable via a crafted web page — classic drive-by RCE in the context of the current user. It's in the CISA KEV catalog (confirmed exploited in the wild). CVSS attack complexity is High and it needs user interaction (visiting a malicious/compromised page), but reliable exploitation has been demonstrated — treat it as real.

Sources: MSRC · CISA KEV · Rapid7
0
Remediation · Hanna BergCurated
Apply the November 2019 cumulative / IE security update (covers IE 9/10/11). Where IE isn't required, disable it via GPO and remove it from the default launch path — the Chromium-based Edge is not affected. Patch first; disabling IE is defense-in-depth, not a substitute.

Source: MSRC advisory.
0
Field note · Waleed AzizCurated
Triage caveat — we marked this false positive / noise for our fleet: IE11 is disabled via GPO and not launchable by users, yet the scanner still flags hosts purely on patch level. The vulnerable path isn't reachable here. Confirm whether IE is actually exposed in your environment before treating the KEV flag as critical — otherwise it's noise on a managed estate.