CVE-2018-5167Improper Input Validation in Mozilla Firefox

CWE-20Improper Input ValidationCWE-79Cross-site Scripting10 documents7 sources
Severity
4.3MEDIUMNVD
OSV9.8
EPSS
0.6%
top 29.27%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Mozilla FirefoxDebian FirefoxCanonical Ubuntu Linux
Timeline
PublishedJun 11
Latest updateMay 14

Description

The web console and JavaScript debugger do not sanitize all output that can be hyperlinked. Both will display "chrome:" links as active, clickable hyperlinks in their output. Web sites should not be able to directly link to internal chrome pages. Additionally, the JavaScript debugger will display "javascript:" links, which users could be tricked into clicking by malicious sites. This vulnerability affects Firefox < 60.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages4 packages

debiandebian/firefox< firefox 60.0-1 (sid)
CVEListV5mozilla/firefoxunspecified60
NVDmozilla/firefox< 60.0
Ubuntumozilla/firefox< 60.0+build2-0ubuntu0.14.04.1+5

Also affects: Ubuntu Linux 14.04, 16.04, 17.10, 18.04

🔴Vulnerability Details

4
GHSA
GHSA-f8v9-9j4r-5fw9: The web console and JavaScript debugger do not sanitize all output that can be hyperlinked2022-05-14
OSV
firefox regression2018-05-18
OSV
firefox vulnerabilities2018-05-11
OSV
CVE-2018-5167: The web console and JavaScript debugger do not sanitize all output that can be hyperlinked2018-05-11

📋Vendor Advisories

4
Ubuntu
Firefox regression2018-05-18
Ubuntu
Firefox vulnerabilities2018-05-11
Red Hat
Mozilla: Improper linkification of chrome: and javascript: content in web console and JavaScript debugger2018-05-09
Debian
CVE-2018-5167: firefox - The web console and JavaScript debugger do not sanitize all output that can be h...2018

💬Community

1
Bugzilla
CVE-2018-5167 Mozilla: Improper linkification of chrome: and javascript: content in web console and JavaScript debugger2018-05-09