CVE-2018-5133 — Sensitive Information Exposure in Mozilla Firefox

CWE-200 — Sensitive Information Exposure8 documents5 sources

Severity

6.5MEDIUMNVD

OSV8.8

EPSS

0.6%

top 29.44%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Debian Firefox Canonical Ubuntu Linux

Timeline

PublishedJun 11

Latest updateMay 14

Description

If the "app.support.baseURL" preference is changed by a malicious local program to contain HTML and script content, this content is not sanitized. It will be executed if a user loads "chrome://browser/content/preferences/in-content/preferences.xul" directly in a tab and executes a search. This stored preference is also executed whenever an EME video player plugin displays a CDM-disabled message as a notification message. This vulnerability affects Firefox < 59.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages4 packages

▶debiandebian/firefox< firefox 59.0-1 (sid)

▶CVEListV5mozilla/firefoxunspecified — 59

▶NVDmozilla/firefox< 59.0

▶Ubuntumozilla/firefox< 59.0+build5-0ubuntu0.14.04.1+4

Also affects: Ubuntu Linux 14.04, 16.04, 17.10

🔴Vulnerability Details

GHSA

GHSA-9rwp-r33f-q36c: If the "app↗2022-05-14

▶

OSV

firefox regression↗2018-04-06

▶

OSV

CVE-2018-5133: If the "app↗2018-03-14

▶

OSV

firefox vulnerabilities↗2018-03-14

▶

📋Vendor Advisories

Ubuntu

Firefox regression↗2018-04-06

▶

Ubuntu

Firefox vulnerabilities↗2018-03-14

▶

Debian

CVE-2018-5133: firefox - If the "app.support.baseURL" preference is changed by a malicious local program ...↗2018

▶