CVE-2018-12399
published 2019-02-28CVE-2018-12399: When a new protocol handler is registered, the API accepts a title argument which can be used to mislead users about which domain is registering the new…
PriorityP419medium4.3CVSS 3.0
AVNACLPRNUIRSUCNILAN
EPSS
1.36%
68.3th percentile
When a new protocol handler is registered, the API accepts a title argument which can be used to mislead users about which domain is registering the new protocol. This may result in the user approving a protocol handler that they otherwise would not have. This vulnerability affects Firefox < 63.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | firefox | < firefox 63.0-1 (sid) | firefox 63.0-1 (sid) |
| mozilla | firefox | < 63.0 | 63.0 |
| mozilla | firefox | >= 0 < 63.0.3+build1-0ubuntu0.14.04.1 | 63.0.3+build1-0ubuntu0.14.04.1 |
| mozilla | firefox | >= 0 < 63.0+build2-0ubuntu0.14.04.2 | 63.0+build2-0ubuntu0.14.04.2 |
| mozilla | firefox | >= 0 < 63.0.3+build1-0ubuntu0.16.04.1 | 63.0.3+build1-0ubuntu0.16.04.1 |
| mozilla | firefox | >= 0 < 63.0+build2-0ubuntu0.16.04.2 | 63.0+build2-0ubuntu0.16.04.2 |
| mozilla | firefox | >= 0 < 63.0.3+build1-0ubuntu0.18.04.1 | 63.0.3+build1-0ubuntu0.18.04.1 |
| mozilla | firefox | >= 0 < 63.0+build2-0ubuntu0.18.04.2 | 63.0+build2-0ubuntu0.18.04.2 |
| mozilla | firefox | >= unspecified < 63 | 63 |
CVSS provenance
nvdv3.04.3MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv8.8HIGH
vendor_ubuntu8.8HIGH
vendor_debian4.3MEDIUM
vendor_redhat4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Firefox regressions
vendor_ubuntu·2018-11-23·CVSS 8.8
[HIGH] Firefox regressions
Title: Firefox regressions
Summary: USN-3801-1 caused some minor regressions in Firefox.
USN-3801-1 fixed vulnerabilities in Firefox. The update introduced various
minor regressions. This update fixes the problems.
We apologize for the inconvenience.
Original advisory details:
Multiple security issues were discovered in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, bypass CSP
restrictions, spoof the protocol registration notification bar, leak
SameSite cookies, bypass mixed content warnings, or execute arbitrary
code. (CVE-2018-12388, CVE-2018-12390, CVE-2018-12392, CVE-2018-12393,
CVE-2018-12398, CVE-2018-12399, CVE-2018-12401, CVE-2018-12402,
CVE-2018-12403)
Multiple security issu
Ubuntu
Firefox vulnerabilities
vendor_ubuntu·2018-10-24·CVSS 8.8
CVE-2018-12388 [HIGH] Firefox vulnerabilities
Title: Firefox vulnerabilities
Summary: Firefox could be made to crash or run programs as your login if it
opened a malicious website.
Multiple security issues were discovered in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, bypass CSP
restrictions, spoof the protocol registration notification bar, leak
SameSite cookies, bypass mixed content warnings, or execute arbitrary
code. (CVE-2018-12388, CVE-2018-12390, CVE-2018-12392, CVE-2018-12393,
CVE-2018-12398, CVE-2018-12399, CVE-2018-12401, CVE-2018-12402,
CVE-2018-12403)
Multiple security issues were discovered with WebExtensions in Firefox.
If a user were tricked in to installing a specially crafted extension, an
attacker could potenti
Red Hat
firefox: Spoofing of protocol registration notification bar
vendor_redhat·2018-10-23·CVSS 4.3
CVE-2018-12399 [MEDIUM] CWE-290 firefox: Spoofing of protocol registration notification bar
firefox: Spoofing of protocol registration notification bar
When a new protocol handler is registered, the API accepts a title argument which can be used to mislead users about which domain is registering the new protocol. This may result in the user approving a protocol handler that they otherwise would not have. This vulnerability affects Firefox < 63.
Package: firefox (Red Hat Enterprise Linux 6) - Will not fix
Package: firefox (Red Hat Enterprise Linux 7) - Will not fix
Package: firefox (Red Hat Enterprise Linux 8) - Will not fix
Debian
CVE-2018-12399: firefox - When a new protocol handler is registered, the API accepts a title argument whic...
vendor_debian·2018·CVSS 4.3
CVE-2018-12399 [MEDIUM] CVE-2018-12399: firefox - When a new protocol handler is registered, the API accepts a title argument whic...
When a new protocol handler is registered, the API accepts a title argument which can be used to mislead users about which domain is registering the new protocol. This may result in the user approving a protocol handler that they otherwise would not have. This vulnerability affects Firefox < 63.
Scope: local
sid: resolved (fixed in 63.0-1)
GHSA
GHSA-rw88-vh2c-q47r: When a new protocol handler is registered, the API accepts a title argument which can be used to mislead users about which domain is registering the n
ghsa_unreviewed·2022-05-14
CVE-2018-12399 [MEDIUM] CWE-287 GHSA-rw88-vh2c-q47r: When a new protocol handler is registered, the API accepts a title argument which can be used to mislead users about which domain is registering the n
When a new protocol handler is registered, the API accepts a title argument which can be used to mislead users about which domain is registering the new protocol. This may result in the user approving a protocol handler that they otherwise would not have. This vulnerability affects Firefox < 63.
OSV
firefox regressions
osv·2018-11-23·CVSS 8.8
[HIGH] firefox regressions
firefox regressions
USN-3801-1 fixed vulnerabilities in Firefox. The update introduced various
minor regressions. This update fixes the problems.
We apologize for the inconvenience.
Original advisory details:
Multiple security issues were discovered in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, bypass CSP
restrictions, spoof the protocol registration notification bar, leak
SameSite cookies, bypass mixed content warnings, or execute arbitrary
code. (CVE-2018-12388, CVE-2018-12390, CVE-2018-12392, CVE-2018-12393,
CVE-2018-12398, CVE-2018-12399, CVE-2018-12401, CVE-2018-12402,
CVE-2018-12403)
Multiple security issues were discovered with WebExtensions in Firefox.
If a user were trick
OSV
firefox vulnerabilities
osv·2018-10-24·CVSS 8.8
CVE-2018-12388 [HIGH] firefox vulnerabilities
firefox vulnerabilities
Multiple security issues were discovered in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, bypass CSP
restrictions, spoof the protocol registration notification bar, leak
SameSite cookies, bypass mixed content warnings, or execute arbitrary
code. (CVE-2018-12388, CVE-2018-12390, CVE-2018-12392, CVE-2018-12393,
CVE-2018-12398, CVE-2018-12399, CVE-2018-12401, CVE-2018-12402,
CVE-2018-12403)
Multiple security issues were discovered with WebExtensions in Firefox.
If a user were tricked in to installing a specially crafted extension, an
attacker could potentially exploit these to bypass domain restrictions,
gain additional privileges, or run content scripts in local pa
OSV
CVE-2018-12399: When a new protocol handler is registered, the API accepts a title argument which can be used to mislead users about which domain is registering the n
osv·2018-10-24·CVSS 4.3
CVE-2018-12399 [MEDIUM] CVE-2018-12399: When a new protocol handler is registered, the API accepts a title argument which can be used to mislead users about which domain is registering the n
When a new protocol handler is registered, the API accepts a title argument which can be used to mislead users about which domain is registering the new protocol. This may result in the user approving a protocol handler that they otherwise would not have. This vulnerability affects Firefox < 63.
No detection rules found.
No public exploits indexed.
http://www.securityfocus.com/bid/105721http://www.securitytracker.com/id/1041944https://bugzilla.mozilla.org/show_bug.cgi?id=1490276https://usn.ubuntu.com/3801-1/https://www.mozilla.org/security/advisories/mfsa2018-26/http://www.securityfocus.com/bid/105721http://www.securitytracker.com/id/1041944https://bugzilla.mozilla.org/show_bug.cgi?id=1490276https://usn.ubuntu.com/3801-1/https://www.mozilla.org/security/advisories/mfsa2018-26/
2019-02-28
Published