CVE-2018-5169Improper Input Validation in Mozilla Firefox

CWE-20Improper Input ValidationCWE-862Missing Authorization10 documents7 sources
Severity
6.5MEDIUMNVD
OSV9.8
EPSS
0.6%
top 30.88%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Mozilla FirefoxDebian FirefoxCanonical Ubuntu Linux
Timeline
PublishedJun 11
Latest updateMay 14

Description

If manipulated hyperlinked text with "chrome:" URL contained in it is dragged and dropped on the "home" icon, the home page can be reset to include a normally-unlinkable chrome page as one of the home page tabs. This vulnerability affects Firefox < 60.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages4 packages

debiandebian/firefox< firefox 60.0-1 (sid)
CVEListV5mozilla/firefoxunspecified60
NVDmozilla/firefox< 60.0
Ubuntumozilla/firefox< 60.0+build2-0ubuntu0.14.04.1+5

Also affects: Ubuntu Linux 14.04, 16.04, 17.10, 18.04

🔴Vulnerability Details

4
GHSA
GHSA-r49w-ww39-r9gp: If manipulated hyperlinked text with "chrome:" URL contained in it is dragged and dropped on the "home" icon, the home page can be reset to include a2022-05-14
OSV
firefox regression2018-05-18
OSV
firefox vulnerabilities2018-05-11
OSV
CVE-2018-5169: If manipulated hyperlinked text with "chrome:" URL contained in it is dragged and dropped on the "home" icon, the home page can be reset to include a2018-05-11

📋Vendor Advisories

4
Ubuntu
Firefox regression2018-05-18
Ubuntu
Firefox vulnerabilities2018-05-11
Red Hat
Mozilla: Dragging and dropping link text onto home button can set home page to include chrome pages2018-05-09
Debian
CVE-2018-5169: firefox - If manipulated hyperlinked text with "chrome:" URL contained in it is dragged an...2018

💬Community

1
Bugzilla
CVE-2018-5169 Mozilla: Dragging and dropping link text onto home button can set home page to include chrome pages2018-05-09