CVE-2018-12397
Severity
7.1HIGH
EPSS
0.1%
top 79.10%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedFeb 28
Latest updateMay 14
Description
A WebExtension can request access to local files without the warning prompt stating that the extension will "Access your data for all websites" being displayed to the user. This allows extensions to run content scripts in local pages without permission warnings when a local file is opened. This vulnerability affects Firefox ESR < 60.3 and Firefox < 63.
CVSS vector
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:NExploitability: 1.8 | Impact: 5.2
Affected Packages7 packages
Also affects: Debian Linux 8.0, 9.0, Ubuntu Linux 14.04, 16.04, 18.04, 18.10, Enterprise Linux 7.5
🔴Vulnerability Details
3GHSA▶
GHSA-xxh5-92qj-c4gh: A WebExtension can request access to local files without the warning prompt stating that the extension will "Access your data for all websites" being↗2022-05-14
CVEList▶
CVE-2018-12397: A WebExtension can request access to local files without the warning prompt stating that the extension will "Access your data for all websites" being↗2019-02-28
OSV▶
CVE-2018-12397: A WebExtension can request access to local files without the warning prompt stating that the extension will "Access your data for all websites" being↗2019-02-28