Vulnerability Details : CVE-2018-12382
Potential exploit
The displayed addressbar URL can be spoofed on Firefox for Android using a javascript: URI in concert with JavaScript to insert text before the loaded domain name, scrolling the loaded domain out of view to the right. This can lead to user confusion. *This vulnerability only affects Firefox for Android < 62.*
Vulnerability category: Input validation
Products affected by CVE-2018-12382
- cpe:2.3:a:mozilla:firefox:62.0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-12382
0.18%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 56 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-12382
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:P/A:N |
10.0
|
2.9
|
NIST | |
|
5.3
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
3.9
|
1.4
|
NIST |
CWE ids for CVE-2018-12382
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-12382
-
http://www.securitytracker.com/id/1041610
Mozilla Firefox Multiple Bugs Let Remote Users Spoof the Address Bar, Bypass Security Restrictions, and Execute Arbitrary Code - SecurityTrackerThird Party Advisory;VDB Entry
-
http://www.securityfocus.com/bid/105276
Mozilla Firefox MFSA2018-20 Multiple Security VulnerabilitiesThird Party Advisory;VDB Entry
-
https://bugzilla.mozilla.org/show_bug.cgi?id=1479311
1479311 - (CVE-2018-12382) Firefox for Android - AddressBar Spoofing using specially-crafted javascript: URL opened in a new tabExploit;Issue Tracking;Vendor Advisory
-
https://www.mozilla.org/security/advisories/mfsa2018-20/
Security vulnerabilities fixed in Firefox 62 — MozillaVendor Advisory
Jump to