CVE-2018-18496 — UI Misrepresentation / Clickjacking in Mozilla Firefox

CWE-1021 — UI Misrepresentation / Clickjacking3 documents3 sources

Severity

8.8HIGHNVD

EPSS

0.4%

top 38.24%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Debian Firefox

Timeline

PublishedFeb 28

Latest updateMay 13

Description

When the RSS Feed preview about:feeds page is framed within another page, it can be used in concert with scripted content for a clickjacking attack that confuses users into downloading and executing an executable file from a temporary directory. *Note: This issue only affects Windows operating systems. Other operating systems are not affected.*. This vulnerability affects Firefox < 64.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶CVEListV5mozilla/firefoxunspecified — 64

▶NVDmozilla/firefox< 64.0

▶debiandebian/firefox

🔴Vulnerability Details

GHSA

GHSA-r3rp-58g5-pvr5: When the RSS Feed preview about:feeds page is framed within another page, it can be used in concert with scripted content for a clickjacking attack th↗2022-05-13

▶

📋Vendor Advisories

Debian

CVE-2018-18496: firefox - When the RSS Feed preview about:feeds page is framed within another page, it can...↗2018

▶