CVE-2018-12381 — Externally Controlled Reference to a Resource in Another Sphere in Mozilla Firefox

CWE-610 — Externally Controlled Reference to a Resource in Another Sphere CWE-451 — User Interface (UI) Misrepresentation of Critical Information5 documents5 sources

Severity

5.3MEDIUMNVD

EPSS

0.6%

top 29.49%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Mozilla Firefox ESR Debian Firefox +1 more

Timeline

PublishedOct 18

Latest updateMay 13

Description

Manually dragging and dropping an Outlook email message into the browser will trigger a page navigation when the message's mail columns are incorrectly interpreted as a URL. *Note: this issue only affects Windows operating systems with Outlook installed. Other operating systems are not affected.*. This vulnerability affects Firefox ESR < 60.2 and Firefox < 62.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages5 packages

▶CVEListV5mozilla/firefoxunspecified — 62

▶NVDmozilla/firefox< 60.2.0+1

▶CVEListV5mozilla/firefox_esrunspecified — 60.2

▶debiandebian/firefox

▶debiandebian/firefox-esr

Patches

Patch: bugzilla.mozilla.org ↗Patch: bugzilla.mozilla.org ↗

🔴Vulnerability Details

GHSA

GHSA-pqvw-c6xw-gpp5: Manually dragging and dropping an Outlook email message into the browser will trigger a page navigation when the message's mail columns are incorrectl↗2022-05-13

▶

📋Vendor Advisories

Red Hat

Mozilla: Dragging and dropping Outlook email message results in page navigation↗2018-09-05

▶

Debian

CVE-2018-12381: firefox - Manually dragging and dropping an Outlook email message into the browser will tr...↗2018

▶

💬Community

Bugzilla

CVE-2018-12381 Mozilla: Dragging and dropping Outlook email message results in page navigation↗2018-09-05

▶