CVE-2018-5135 — Missing Authorization in Mozilla Firefox

CWE-862 — Missing Authorization8 documents5 sources

Severity

7.5HIGHNVD

OSV8.8

EPSS

1.0%

top 23.42%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Debian Firefox

Timeline

PublishedJun 11

Latest updateMay 13

Description

WebExtensions can bypass normal restrictions in some circumstances and use "browser.tabs.executeScript" to inject scripts into contexts where this should not be allowed, such as pages from other WebExtensions or unprivileged "about:" pages. This vulnerability affects Firefox < 59.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶debiandebian/firefox< firefox 59.0-1 (sid)

▶CVEListV5mozilla/firefoxunspecified — 59

▶NVDmozilla/firefox< 59.0

▶Ubuntumozilla/firefox< 59.0+build5-0ubuntu0.14.04.1+4

🔴Vulnerability Details

GHSA

GHSA-q9w5-hr49-h5h8: WebExtensions can bypass normal restrictions in some circumstances and use "browser↗2022-05-13

▶

OSV

firefox regression↗2018-04-06

▶

OSV

firefox vulnerabilities↗2018-03-14

▶

OSV

CVE-2018-5135: WebExtensions can bypass normal restrictions in some circumstances and use "browser↗2018-03-14

▶

📋Vendor Advisories

Ubuntu

Firefox regression↗2018-04-06

▶

Ubuntu

Firefox vulnerabilities↗2018-03-14

▶

Debian

CVE-2018-5135: firefox - WebExtensions can bypass normal restrictions in some circumstances and use "brow...↗2018

▶