CVE-2018-5158 — Code Injection in Mozilla Firefox
Severity
8.8HIGHNVD
OSV9.8
EPSS
43.0%
top 2.50%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedJun 11
Latest updateApr 26
Description
The PDF viewer does not sufficiently sanitize PostScript calculator functions, allowing malicious JavaScript to be injected through a crafted PDF file. This JavaScript can then be run with the permissions of the PDF viewer by its worker. This vulnerability affects Firefox ESR < 52.8 and Firefox < 60.
CVSS vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9
Affected Packages7 packages
Also affects: Debian Linux 7.0, 8.0, 9.0, Ubuntu Linux 14.04, 16.04, 17.10, 18.04, Enterprise Linux 7.6, 7.5
🔴Vulnerability Details
6OSV▶
CVE-2018-5158: The PDF viewer does not sufficiently sanitize PostScript calculator functions, allowing malicious JavaScript to be injected through a crafted PDF file↗2018-06-11
CVEList▶
CVE-2018-5158: The PDF viewer does not sufficiently sanitize PostScript calculator functions, allowing malicious JavaScript to be injected through a crafted PDF file↗2018-06-11
📋Vendor Advisories
4Debian▶
CVE-2018-5158: firefox - The PDF viewer does not sufficiently sanitize PostScript calculator functions, a...↗2018