CVE-2018-12368User Interface (UI) Misrepresentation of Critical Information in Mozilla Firefox

CWE-451User Interface (UI) Misrepresentation of Critical Information5 documents5 sources
Severity
8.1HIGHNVD
EPSS
2.0%
top 16.50%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
6
Mozilla FirefoxMozilla Firefox ESRMozilla Thunderbird+3 more
Timeline
PublishedOct 18
Latest updateMay 13

Description

Windows 10 does not warn users before opening executable files with the SettingContent-ms extension even when they have been downloaded from the internet and have the "Mark of the Web." Without the warning, unsuspecting users unfamiliar with this new file type might run an unwanted executable. This also allows a WebExtension with the limited downloads.open permission to execute arbitrary code without user interaction on Windows 10 systems. *Note: this issue only affects Windows operating systems

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages9 packages

CVEListV5mozilla/firefoxunspecified61
NVDmozilla/firefox53.060.1.0+1
CVEListV5mozilla/firefox_esrunspecified60.1+1

🔴Vulnerability Details

1
GHSA
GHSA-ghmm-93ww-fvhh: Windows 10 does not warn users before opening executable files with the SettingContent-ms extension even when they have been downloaded from the inter2022-05-13

📋Vendor Advisories

2
Red Hat
Mozilla: No warning when opening executable SettingContent-ms files2018-06-26
Debian
CVE-2018-12368: firefox - Windows 10 does not warn users before opening executable files with the SettingC...2018

💬Community

1
Bugzilla
CVE-2018-12368 Mozilla: No warning when opening executable SettingContent-ms files2018-06-26