CVE-2018-12403Product UI does not Warn User of Unsafe Actions in Mozilla Firefox

CWE-356Product UI does not Warn User of Unsafe ActionsCWE-290Authentication Bypass by Spoofing10 documents7 sources
Severity
5.3MEDIUMNVD
OSV8.8
EPSS
0.5%
top 33.87%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Mozilla FirefoxDebian FirefoxCanonical Ubuntu Linux
Timeline
PublishedFeb 28
Latest updateMay 13

Description

If a site is loaded over a HTTPS connection but loads a favicon resource over HTTP, the mixed content warning is not displayed to users. This vulnerability affects Firefox < 63.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages4 packages

debiandebian/firefox< firefox 63.0-1 (sid)
CVEListV5mozilla/firefoxunspecified63
NVDmozilla/firefox< 63.0
Ubuntumozilla/firefox< 63.0+build2-0ubuntu0.14.04.2+5

Also affects: Ubuntu Linux 14.04, 16.04, 18.04, 18.10

🔴Vulnerability Details

4
GHSA
GHSA-rvgp-cj49-43c7: If a site is loaded over a HTTPS connection but loads a favicon resource over HTTP, the mixed content warning is not displayed to users2022-05-13
OSV
firefox regressions2018-11-23
OSV
CVE-2018-12403: If a site is loaded over a HTTPS connection but loads a favicon resource over HTTP, the mixed content warning is not displayed to users2018-10-24
OSV
firefox vulnerabilities2018-10-24

📋Vendor Advisories

4
Ubuntu
Firefox regressions2018-11-23
Ubuntu
Firefox vulnerabilities2018-10-24
Red Hat
firefox: mixed content warning is not displayed when HTTPS page loads a favicon over HTTP2018-10-23
Debian
CVE-2018-12403: firefox - If a site is loaded over a HTTPS connection but loads a favicon resource over HT...2018

💬Community

1
Bugzilla
CVE-2018-12403 firefox: mixed content warning is not displayed when HTTPS page loads a favicon over HTTP2019-03-25