CVE-2018-12369 — Incorrect Authorization in Mozilla Firefox

CWE-863 — Incorrect Authorization CWE-829 — Inclusion of Functionality from Untrusted Control Sphere10 documents7 sources

Severity

9.8CRITICALNVD

OSV4.3

EPSS

0.6%

top 31.72%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Mozilla Firefox ESR Debian Firefox +1 more

Timeline

PublishedOct 18

Latest updateMay 13

Description

WebExtensions bundled with embedded experiments were not correctly checked for proper authorization. This allowed a malicious WebExtension to gain full browser permissions. This vulnerability affects Firefox ESR < 60.1 and Firefox < 61.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages5 packages

▶debiandebian/firefox< firefox 61.0-1 (sid)

▶CVEListV5mozilla/firefoxunspecified — 61

▶NVDmozilla/firefox< 60.1.0+1

▶CVEListV5mozilla/firefox_esrunspecified — 60.1

▶Ubuntumozilla/firefox< 61.0.1+build1-0ubuntu0.14.04.1+5

Also affects: Ubuntu Linux 14.04, 16.04, 17.10, 18.04

🔴Vulnerability Details

GHSA

GHSA-pp5v-ch72-95w4: WebExtensions bundled with embedded experiments were not correctly checked for proper authorization↗2022-05-13

▶

OSV

firefox regressions↗2018-07-10

▶

OSV

firefox vulnerabilities↗2018-07-05

▶

OSV

CVE-2018-12369: WebExtensions bundled with embedded experiments were not correctly checked for proper authorization↗2018-06-27

▶

📋Vendor Advisories

Ubuntu

Firefox regressions↗2018-07-10

▶

Ubuntu

Firefox vulnerabilities↗2018-07-05

▶

Red Hat

Mozilla: WebExtension security permission checks bypassed by embedded experiments↗2018-06-26

▶

Debian

CVE-2018-12369: firefox - WebExtensions bundled with embedded experiments were not correctly checked for p...↗2018

▶

💬Community

Bugzilla

CVE-2018-12369 Mozilla: WebExtension security permission checks bypassed by embedded experiments↗2018-06-26

▶