CVE-2018-5165 — User Interface (UI) Misrepresentation of Critical Information in Mozilla Firefox

CWE-451 — User Interface (UI) Misrepresentation of Critical Information5 documents5 sources

Severity

5.3MEDIUMNVD

EPSS

0.8%

top 26.45%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Debian Firefox

Timeline

PublishedJun 11

Latest updateMay 13

Description

In 32-bit versions of Firefox, the Adobe Flash plugin setting for "Enable Adobe Flash protected mode" is unchecked by default even though the Adobe Flash sandbox is actually enabled. The displayed state is the reverse of the true setting, resulting in user confusion. This could cause users to select this setting intending to activate it and inadvertently turn protections off. This vulnerability affects Firefox < 60.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages3 packages

▶debiandebian/firefox< firefox 60.0-1 (sid)

▶CVEListV5mozilla/firefoxunspecified — 60

▶NVDmozilla/firefox< 60.0

Patches

Patch: bugzilla.mozilla.org ↗Patch: bugzilla.mozilla.org ↗

🔴Vulnerability Details

GHSA

GHSA-hc8c-44hv-5hc7: In 32-bit versions of Firefox, the Adobe Flash plugin setting for "Enable Adobe Flash protected mode" is unchecked by default even though the Adobe Fl↗2022-05-13

▶

📋Vendor Advisories

Red Hat

Mozilla: Checkbox for enabling Flash protected mode is inverted in 32-bit Firefox↗2018-05-09

▶

Debian

CVE-2018-5165: firefox - In 32-bit versions of Firefox, the Adobe Flash plugin setting for "Enable Adobe ...↗2018

▶

💬Community

Bugzilla

CVE-2018-5165 Mozilla: Checkbox for enabling Flash protected mode is inverted in 32-bit Firefox↗2018-05-09

▶