CVE-2018-18495

Published: Feb 28, 2019Modified: Nov 21, 2024

6.5

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

WebExtension content scripts can be loaded into about: pages in some circumstances, in violation of the permissions granted to extensions. This could allow an extension to interfere with the loading and usage of these pages and use capabilities that were intended to be restricted from extensions. This vulnerability affects Firefox < 64.

Affected (5)

Products: Mozilla: Firefox · Canonical: Ubuntu Linux

1 product

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Mozilla Firefox	Before 64.0

Configuration B

4 vulnerable

Vulnerable Software	Affected Versions
Canonical Ubuntu Linux	Version 14.04
Canonical Ubuntu Linux	Version 16.04
Canonical Ubuntu Linux	Version 18.04
Canonical Ubuntu Linux	Version 18.10

Related CWEs

Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

References (8)

http://www.securityfocus.com/bid/106167

Source: security@mozilla.org

Third Party AdvisoryVDB Entry

https://bugzilla.mozilla.org/show_bug.cgi?id=1427585

Source: security@mozilla.org

Issue TrackingPermissions RequiredVendor Advisory

https://usn.ubuntu.com/3844-1/

Source: security@mozilla.org

Third Party Advisory

https://www.mozilla.org/security/advisories/mfsa2018-29/

Source: security@mozilla.org

Vendor Advisory

http://www.securityfocus.com/bid/106167

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

https://bugzilla.mozilla.org/show_bug.cgi?id=1427585

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingPermissions RequiredVendor Advisory

https://usn.ubuntu.com/3844-1/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://www.mozilla.org/security/advisories/mfsa2018-29/

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.