Vulnerability Details : CVE-2018-18506
When proxy auto-detection is enabled, if a web server serves a Proxy Auto-Configuration (PAC) file or if a PAC file is loaded locally, this PAC file can specify that requests to the localhost are to be sent through the proxy to another server. This behavior is disallowed by default when a proxy is manually configured, but when enabled could allow for attacks on services and tools that bind to the localhost for networked behavior if they are accessed through browsing. This vulnerability affects Firefox < 65.
Products affected by CVE-2018-18506
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_eus:8.1:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_eus:8.2:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_eus:8.4:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_eus:8.6:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_aus:8.2:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_aus:8.4:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_aus:8.6:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_tus:8.2:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_tus:8.4:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_tus:8.6:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:leap:42.3:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-18506
0.24%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 62 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-18506
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST | |
5.9
|
MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N |
2.2
|
3.6
|
NIST |
References for CVE-2018-18506
-
https://lists.debian.org/debian-lts-announce/2019/03/msg00024.html
[SECURITY] [DLA 1722-1] firefox-esr security updateMailing List;Third Party Advisory
-
https://security.gentoo.org/glsa/201904-07
Mozilla Thunderbird and Firefox: Multiple vulnerabilities (GLSA 201904-07) — Gentoo securityThird Party Advisory
-
https://www.debian.org/security/2019/dsa-4411
Debian -- Security Information -- DSA-4411-1 firefox-esrThird Party Advisory
-
https://seclists.org/bugtraq/2019/Mar/28
Bugtraq: [SECURITY] [DSA 4411-1] firefox-esr security updateMailing List;Third Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00035.html
[security-announce] openSUSE-SU-2019:1056-1: important: Security updateBroken Link;Mailing List;Third Party Advisory
-
https://www.debian.org/security/2019/dsa-4420
Debian -- Security Information -- DSA-4420-1 thunderbirdThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:0622
RHSA-2019:0622 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://usn.ubuntu.com/3874-1/
USN-3874-1: Firefox vulnerabilities | Ubuntu security noticesThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:0966
RHSA-2019:0966 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://www.mozilla.org/security/advisories/mfsa2019-01/
Security vulnerabilities fixed in Firefox 65 — MozillaVendor Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00043.html
[security-announce] openSUSE-SU-2019:1077-1: important: Security updateMailing List;Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:1144
RHSA-2019:1144 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:0680
RHSA-2019:0680 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://usn.ubuntu.com/3927-1/
USN-3927-1: Thunderbird vulnerabilities | Ubuntu security noticesThird Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00023.html
[security-announce] openSUSE-SU-2019:1126-1: critical: Security update fMailing List;Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:0681
RHSA-2019:0681 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:0623
RHSA-2019:0623 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://www.securityfocus.com/bid/106773
Mozilla Firefox MFSA2019-01 Multiple Security VulnerabilitiesBroken Link;Third Party Advisory;VDB Entry
-
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00043.html
[security-announce] openSUSE-SU-2019:1162-1: important: Security updateMailing List;Third Party Advisory
-
https://lists.debian.org/debian-lts-announce/2019/04/msg00000.html
[SECURITY] [DLA 1743-1] thunderbird security updateMailing List;Third Party Advisory
-
https://seclists.org/bugtraq/2019/Apr/0
Bugtraq: [SECURITY] [DSA 4420-1] thunderbird security updateMailing List;Third Party Advisory
Jump to