Vulnerability Details : CVE-2018-12397
A WebExtension can request access to local files without the warning prompt stating that the extension will "Access your data for all websites" being displayed to the user. This allows extensions to run content scripts in local pages without permission warnings when a local file is opened. This vulnerability affects Firefox ESR < 60.3 and Firefox < 63.
Vulnerability category: Information leak
Products affected by CVE-2018-12397
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_eus:7.5:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-12397
0.06%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 21 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-12397
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
3.6
|
LOW | AV:L/AC:L/Au:N/C:P/I:P/A:N |
3.9
|
4.9
|
NIST | |
7.1
|
HIGH | CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N |
1.8
|
5.2
|
NIST |
CWE ids for CVE-2018-12397
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-12397
-
https://access.redhat.com/errata/RHSA-2018:3005
RHSA-2018:3005 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://bugzilla.mozilla.org/show_bug.cgi?id=1487478
Access DeniedIssue Tracking;Permissions Required;Vendor Advisory
-
https://usn.ubuntu.com/3801-1/
USN-3801-1: Firefox vulnerabilities | Ubuntu security noticesThird Party Advisory
-
https://www.debian.org/security/2018/dsa-4324
Debian -- Security Information -- DSA-4324-1 firefox-esrThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2018:3006
RHSA-2018:3006 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://www.securityfocus.com/bid/105718
Mozilla Firefox and Firefox ESR Multiple Security VulnerabilitiesThird Party Advisory;VDB Entry
-
https://lists.debian.org/debian-lts-announce/2018/11/msg00008.html
[SECURITY] [DLA 1571-1] firefox-esr security updateMailing List;Third Party Advisory
-
https://security.gentoo.org/glsa/201811-04
Mozilla Firefox: Multiple vulnerabilities (GLSA 201811-04) — Gentoo securityThird Party Advisory
-
https://www.mozilla.org/security/advisories/mfsa2018-27/
Security vulnerabilities fixed in Firefox ESR 60.3 — MozillaVendor Advisory
-
https://www.mozilla.org/security/advisories/mfsa2018-26/
Security vulnerabilities fixed in Firefox 63 — MozillaVendor Advisory
-
http://www.securitytracker.com/id/1041944
Mozilla Firefox Multiple Bugs Let Remote Users Deny Service, Obtain Potentially Sensitive Information, and Execute Arbitrary Code - SecurityTrackerThird Party Advisory;VDB Entry
Jump to