CVE-2018-5166 — Improper Privilege Management in Mozilla Firefox

CWE-269 — Improper Privilege Management CWE-266 — Incorrect Privilege Assignment10 documents7 sources

Severity

7.5HIGHNVD

OSV9.8

EPSS

0.8%

top 26.77%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Debian Firefox Canonical Ubuntu Linux

Timeline

PublishedJun 11

Latest updateMay 13

Description

WebExtensions can use request redirection and a "filterReponseData" filter to bypass host permission settings to redirect network traffic and access content from a host for which they do not have explicit user permission. This vulnerability affects Firefox < 60.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶debiandebian/firefox< firefox 60.0-1 (sid)

▶CVEListV5mozilla/firefoxunspecified — 60

▶NVDmozilla/firefox< 60.0

▶Ubuntumozilla/firefox< 60.0+build2-0ubuntu0.14.04.1+5

Also affects: Ubuntu Linux 14.04, 16.04, 17.10, 18.04

🔴Vulnerability Details

GHSA

GHSA-xf5w-2jf5-86c8: WebExtensions can use request redirection and a "filterReponseData" filter to bypass host permission settings to redirect network traffic and access c↗2022-05-13

▶

OSV

firefox regression↗2018-05-18

▶

OSV

firefox vulnerabilities↗2018-05-11

▶

OSV

CVE-2018-5166: WebExtensions can use request redirection and a "filterReponseData" filter to bypass host permission settings to redirect network traffic and access c↗2018-05-11

▶

📋Vendor Advisories

Ubuntu

Firefox regression↗2018-05-18

▶

Ubuntu

Firefox vulnerabilities↗2018-05-11

▶

Red Hat

Mozilla: WebExtension host permission bypass through filterReponseData↗2018-05-09

▶

Debian

CVE-2018-5166: firefox - WebExtensions can use request redirection and a "filterReponseData" filter to by...↗2018

▶

💬Community

Bugzilla

CVE-2018-5166 Mozilla: WebExtension host permission bypass through filterReponseData↗2018-05-09

▶