cbcvebase.
CVE-2018-5172
published 2018-06-11

CVE-2018-5172: The Live Bookmarks page and the PDF viewer can run injected script content if a user pastes script from the clipboard into them while viewing RSS feeds or PDF…

PriorityP420medium4.3CVSS 3.0
AVNACLPRNUIRSUCNILAN
EPSS
1.62%
73.2th percentile
The Live Bookmarks page and the PDF viewer can run injected script content if a user pastes script from the clipboard into them while viewing RSS feeds or PDF files. This could allow a malicious site to socially engineer a user to copy and paste malicious script content that could then run with the context of either page but does not allow for privilege escalation. This vulnerability affects Firefox < 60.

Affected

15 ranges
VendorProductVersion rangeFixed in
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
debianfirefox< firefox 60.0-1 (sid)firefox 60.0-1 (sid)
mozillafirefox< 60.060.0
mozillafirefox>= 0 < 60.0+build2-0ubuntu0.14.04.160.0+build2-0ubuntu0.14.04.1
mozillafirefox>= 0 < 60.0.1+build2-0ubuntu0.14.04.160.0.1+build2-0ubuntu0.14.04.1
mozillafirefox>= 0 < 60.0+build2-0ubuntu0.16.04.160.0+build2-0ubuntu0.16.04.1
mozillafirefox>= 0 < 60.0.1+build2-0ubuntu0.16.04.160.0.1+build2-0ubuntu0.16.04.1
mozillafirefox>= 0 < 60.0+build2-0ubuntu160.0+build2-0ubuntu1
mozillafirefox>= 0 < 60.0.1+build2-0ubuntu0.18.04.160.0.1+build2-0ubuntu0.18.04.1
mozillafirefox>= unspecified < 6060
uriparser_projecturiparser>= 0 < 0.7.5-1ubuntu2+esm20.7.5-1ubuntu2+esm2
uriparser_projecturiparser>= 0 < 0.8.4-1ubuntu0.16.04.1~esm20.8.4-1ubuntu0.16.04.1~esm2

CVSS provenance

nvdv3.04.3MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv9.8CRITICAL
vendor_ubuntu9.8CRITICAL
vendor_debian4.3MEDIUM
vendor_redhat4.3MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.