CVE-2018-5168 — Missing Authorization in Mozilla Firefox
Severity
5.3MEDIUMNVD
OSV9.8
EPSS
1.0%
top 22.62%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedJun 11
Latest updateMay 13
Description
Sites can bypass security checks on permissions to install lightweight themes by manipulating the "baseURI" property of the theme element. This could allow a malicious site to install a theme without user interaction which could contain offensive or embarrassing images. This vulnerability affects Thunderbird < 52.8, Thunderbird ESR < 52.8, Firefox < 60, and Firefox ESR < 52.8.
CVSS vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4
Affected Packages12 packages
Also affects: Debian Linux 7.0, 8.0, 9.0, Ubuntu Linux 14.04, 16.04, 17.10, 18.04, Enterprise Linux 7.6, 7.5
🔴Vulnerability Details
5GHSA▶
GHSA-mc9q-rpjx-f8px: Sites can bypass security checks on permissions to install lightweight themes by manipulating the "baseURI" property of the theme element↗2022-05-13
CVEList▶
CVE-2018-5168: Sites can bypass security checks on permissions to install lightweight themes by manipulating the "baseURI" property of the theme element↗2018-06-11
OSV▶
CVE-2018-5168: Sites can bypass security checks on permissions to install lightweight themes by manipulating the "baseURI" property of the theme element↗2018-06-11
📋Vendor Advisories
4💬Community
1Bugzilla
▶