CVE-2018-18506 — Sensitive Information Exposure in Mozilla Firefox
Severity
5.9MEDIUMNVD
EPSS
2.4%
top 15.05%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedFeb 5
Latest updateMay 13
Description
When proxy auto-detection is enabled, if a web server serves a Proxy Auto-Configuration (PAC) file or if a PAC file is loaded locally, this PAC file can specify that requests to the localhost are to be sent through the proxy to another server. This behavior is disallowed by default when a proxy is manually configured, but when enabled could allow for attacks on services and tools that bind to the localhost for networked behavior if they are accessed through browsing. This vulnerability affects F…
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 2.2 | Impact: 3.6
Affected Packages8 packages
Also affects: Debian Linux 8.0, 9.0, Ubuntu Linux 14.04, 16.04, 18.04, 18.10, Enterprise Linux 8.0, 8.1, 8.2, 8.4, 8.6, 7.6
🔴Vulnerability Details
5GHSA▶
GHSA-4gc3-hqxg-hgp9: When proxy auto-detection is enabled, if a web server serves a Proxy Auto-Configuration (PAC) file or if a PAC file is loaded locally, this PAC file c↗2022-05-13
OSV▶
CVE-2018-18506: When proxy auto-detection is enabled, if a web server serves a Proxy Auto-Configuration (PAC) file or if a PAC file is loaded locally, this PAC file c↗2019-02-05
CVEList▶
CVE-2018-18506: When proxy auto-detection is enabled, if a web server serves a Proxy Auto-Configuration (PAC) file or if a PAC file is loaded locally, this PAC file c↗2019-02-05
📋Vendor Advisories
4Debian▶
CVE-2018-18506: firefox - When proxy auto-detection is enabled, if a web server serves a Proxy Auto-Config...↗2018
💬Community
1Bugzilla▶
CVE-2018-18506 Mozilla: Proxy Auto-Configuration file can define localhost access to be proxied↗2019-03-20