CVE-2018-18495Incorrect Permission Assignment in Mozilla Firefox

CWE-732Incorrect Permission AssignmentCWE-20Improper Input ValidationCWE-59Link FollowingCWE-270Privilege Context Switching ErrorCWE-552Files or Directories Accessible to External PartiesCWE-284Improper Access Control8 documents7 sources
Severity
6.5MEDIUMNVD
OSV9.8
EPSS
0.3%
top 44.15%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Mozilla FirefoxDebian FirefoxCanonical Ubuntu Linux
Timeline
PublishedFeb 28
Latest updateMay 13

Description

WebExtension content scripts can be loaded into about: pages in some circumstances, in violation of the permissions granted to extensions. This could allow an extension to interfere with the loading and usage of these pages and use capabilities that were intended to be restricted from extensions. This vulnerability affects Firefox < 64.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages4 packages

debiandebian/firefox< firefox 64.0-1 (sid)
CVEListV5mozilla/firefoxunspecified64
NVDmozilla/firefox< 64.0
Ubuntumozilla/firefox< 64.0+build3-0ubuntu0.14.04.1+2

Also affects: Ubuntu Linux 14.04, 16.04, 18.04, 18.10

🔴Vulnerability Details

3
GHSA
GHSA-c244-84j9-388q: WebExtension content scripts can be loaded into about: pages in some circumstances, in violation of the permissions granted to extensions2022-05-13
OSV
CVE-2018-18495: WebExtension content scripts can be loaded into about: pages in some circumstances, in violation of the permissions granted to extensions2018-12-11
OSV
firefox vulnerabilities2018-12-11

📋Vendor Advisories

3
Ubuntu
Firefox vulnerabilities2018-12-11
Red Hat
firefox: WebExtension content scripts can be loaded in about: pages2018-12-11
Debian
CVE-2018-18495: firefox - WebExtension content scripts can be loaded into about: pages in some circumstanc...2018

💬Community

1
Bugzilla
CVE-2018-18495 firefox: WebExtension content scripts can be loaded in about: pages2019-04-04