CVE-2018-12398 — Improper Input Validation in Mozilla Firefox

CWE-20 — Improper Input Validation CWE-79 — Cross-site Scripting CWE-284 — Improper Access Control10 documents7 sources

Severity

6.5MEDIUMNVD

OSV8.8

EPSS

0.3%

top 51.46%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Debian Firefox Canonical Ubuntu Linux

Timeline

PublishedFeb 28

Latest updateMay 13

Description

By using the reflected URL in some special resource URIs, such as chrome:, it is possible to inject stylesheets and bypass Content Security Policy (CSP). This vulnerability affects Firefox < 63.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages4 packages

▶debiandebian/firefox< firefox 63.0-1 (sid)

▶CVEListV5mozilla/firefoxunspecified — 63

▶NVDmozilla/firefox< 63.0

▶Ubuntumozilla/firefox< 63.0+build2-0ubuntu0.14.04.2+5

Also affects: Ubuntu Linux 14.04, 16.04, 18.04, 18.10

🔴Vulnerability Details

GHSA

GHSA-mmrj-hw4g-j8hv: By using the reflected URL in some special resource URIs, such as chrome:, it is possible to inject stylesheets and bypass Content Security Policy (CS↗2022-05-13

▶

OSV

firefox regressions↗2018-11-23

▶

OSV

CVE-2018-12398: By using the reflected URL in some special resource URIs, such as chrome:, it is possible to inject stylesheets and bypass Content Security Policy (CS↗2018-10-24

▶

OSV

firefox vulnerabilities↗2018-10-24

▶

📋Vendor Advisories

Ubuntu

Firefox regressions↗2018-11-23

▶

Ubuntu

Firefox vulnerabilities↗2018-10-24

▶

Red Hat

firefox: Content Security Policy bypass through stylesheet injection in resource URIs↗2018-10-23

▶

Debian

CVE-2018-12398: firefox - By using the reflected URL in some special resource URIs, such as chrome:, it is...↗2018

▶

💬Community

Bugzilla

CVE-2018-12398 firefox: Content Security Policy bypass through stylesheet injection in resource URIs↗2019-03-28

▶