Vulnerability Details : CVE-2018-12368
Windows 10 does not warn users before opening executable files with the SettingContent-ms extension even when they have been downloaded from the internet and have the "Mark of the Web." Without the warning, unsuspecting users unfamiliar with this new file type might run an unwanted executable. This also allows a WebExtension with the limited downloads.open permission to execute arbitrary code without user interaction on Windows 10 systems. *Note: this issue only affects Windows operating systems. Other operating systems are unaffected.*. This vulnerability affects Thunderbird < 60, Thunderbird < 52.9, Firefox ESR < 60.1, Firefox ESR < 52.9, and Firefox < 61.
Vulnerability category: Execute code
Products affected by CVE-2018-12368
- cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*When used together with: Microsoft » Windows 10
- cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*When used together with: Microsoft » Windows 10
- cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*When used together with: Microsoft » Windows 10
- cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*When used together with: Microsoft » Windows 10
Exploit prediction scoring system (EPSS) score for CVE-2018-12368
12.06%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 95 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-12368
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
9.3
|
HIGH | AV:N/AC:M/Au:N/C:C/I:C/A:C |
8.6
|
10.0
|
NIST | |
8.1
|
HIGH | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
2.2
|
5.9
|
NIST |
References for CVE-2018-12368
-
https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39
The Tale of SettingContent-ms Files - Posts By SpecterOps Team MembersExploit;Third Party Advisory
-
http://www.securitytracker.com/id/1041193
Mozilla Firefox Multiple Bugs Let Remote Users Conduct Cross-Site Request Forgery Attacks, Bypass Security Restrictions, Obtain Potentially Sensitive Information, and Execute Arbitrary Code - SecurityThird Party Advisory;VDB Entry
-
https://www.mozilla.org/security/advisories/mfsa2018-17/
Security vulnerabilities fixed in Firefox ESR 52.9 — MozillaVendor Advisory
-
http://www.securityfocus.com/bid/104560
Mozilla Firefox and Firefox ESR Multiple Security VulnerabilitiesThird Party Advisory;VDB Entry
-
https://bugzilla.mozilla.org/show_bug.cgi?id=1468217
Access DeniedIssue Tracking;Permissions Required;Vendor Advisory
-
https://security.gentoo.org/glsa/201810-01
Mozilla Firefox: Multiple vulnerabilities (GLSA 201810-01) — Gentoo securityThird Party Advisory
-
https://www.mozilla.org/security/advisories/mfsa2018-15/
Security vulnerabilities fixed in Firefox 61 — MozillaVendor Advisory
-
https://www.mozilla.org/security/advisories/mfsa2018-19/
Security vulnerabilities fixed in Thunderbird 60 — MozillaVendor Advisory
-
https://www.mozilla.org/security/advisories/mfsa2018-18/
Security vulnerabilities fixed in Thunderbird 52.9 — MozillaVendor Advisory
-
https://www.mozilla.org/security/advisories/mfsa2018-16/
Security vulnerabilities fixed in Firefox ESR 60.1 — MozillaVendor Advisory
Jump to