Vulnerability Details : CVE-2018-5112
Development Tools panels of an extension are required to load URLs for the panels as relative URLs from the extension manifest file but this requirement was not enforced in all instances. This could allow the development tools panel for the extension to load a URL that it should not be able to access, including potentially privileged pages. This vulnerability affects Firefox < 58.
Products affected by CVE-2018-5112
- cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-5112
0.31%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 66 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-5112
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2018-5112
-
The product makes files or directories accessible to unauthorized actors, even though they should not be.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-5112
-
https://bugzilla.mozilla.org/show_bug.cgi?id=1425224
1425224 - (CVE-2018-5112) browser.devtools.panels.create does not ensure panel pagePath is relative URLIssue Tracking;Permissions Required
-
https://www.mozilla.org/security/advisories/mfsa2018-02/
Security vulnerabilities fixed in Firefox 58 — MozillaVendor Advisory
-
http://www.securityfocus.com/bid/102786
Mozilla Firefox MFSA2018-02 Multiple Security VulnerabilitiesThird Party Advisory;VDB Entry
-
https://usn.ubuntu.com/3544-1/
USN-3544-1: Firefox vulnerabilities | Ubuntu security noticesThird Party Advisory
-
http://www.securitytracker.com/id/1040270
Mozilla Firefox Multiple Bugs Let Remote Users Spoof URLs, Bypass Cross-Domain Security Restrictions, Obtain Potentially Sensitive Information, and Execute Arbitrary Code - SecurityTrackerThird Party Advisory;VDB Entry
Jump to