CVE-2018-12396

CWE-732 — Incorrect Permission Assignment CWE-284 — Improper Access Control8 documents8 sources

Severity

6.5MEDIUM

EPSS

1.1%

top 21.60%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Mozilla Firefox ESR Canonical Ubuntu Linux +7 more

Timeline

PublishedFeb 28

Latest updateMay 13

Description

A vulnerability where a WebExtension can run content scripts in disallowed contexts following navigation or other events. This allows for potential privilege escalation by the WebExtension on sites where content scripts should not be run. This vulnerability affects Firefox ESR < 60.3 and Firefox < 63.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages8 packages

▶CVEListV5mozilla/firefoxunspecified — 63

▶NVDmozilla/firefox< 63.0

▶CVEListV5mozilla/firefox_esrunspecified — 60.3

▶NVDmozilla/firefox_esr< 60.3

▶Debianfirefox-esr< 60.3.0esr-1+3

Also affects: Debian Linux 8.0, 9.0, Ubuntu Linux 14.04, 16.04, 18.04, 18.10, Enterprise Linux 7.6

🔴Vulnerability Details

GHSA

GHSA-5c59-7337-gvv9: A vulnerability where a WebExtension can run content scripts in disallowed contexts following navigation or other events↗2022-05-13

▶

CVEList

CVE-2018-12396: A vulnerability where a WebExtension can run content scripts in disallowed contexts following navigation or other events↗2019-02-28

▶

OSV

CVE-2018-12396: A vulnerability where a WebExtension can run content scripts in disallowed contexts following navigation or other events↗2019-02-28

▶

📋Vendor Advisories

Ubuntu

Firefox vulnerabilities↗2018-10-24

▶

Red Hat

Mozilla: WebExtension content scripts can execute in disallowed contexts↗2018-10-23

▶

Debian

CVE-2018-12396: firefox - A vulnerability where a WebExtension can run content scripts in disallowed conte...↗2018

▶

💬Community

Bugzilla

CVE-2018-12396 Mozilla: WebExtension content scripts can execute in disallowed contexts↗2018-10-23

▶