CVE-2018-5173Improper Input Validation in Mozilla Firefox

CWE-20Improper Input ValidationCWE-451User Interface (UI) Misrepresentation of Critical Information10 documents7 sources
Severity
5.3MEDIUMNVD
OSV9.8
EPSS
1.0%
top 22.67%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Mozilla FirefoxDebian FirefoxCanonical Ubuntu Linux
Timeline
PublishedJun 11
Latest updateMay 14

Description

The filename appearing in the "Downloads" panel improperly renders some Unicode characters, allowing for the file name to be spoofed. This can be used to obscure the file extension of potentially executable files from user view in the panel. Note: the dialog to open the file will show the full, correct filename and whether it is executable or not. This vulnerability affects Firefox < 60.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages4 packages

debiandebian/firefox< firefox 60.0-1 (sid)
CVEListV5mozilla/firefoxunspecified60
NVDmozilla/firefox< 60.0
Ubuntumozilla/firefox< 60.0+build2-0ubuntu0.14.04.1+5

Also affects: Ubuntu Linux 14.04, 16.04, 17.10, 18.04

🔴Vulnerability Details

4
GHSA
GHSA-hg6x-mmgv-6qvx: The filename appearing in the "Downloads" panel improperly renders some Unicode characters, allowing for the file name to be spoofed2022-05-14
OSV
firefox regression2018-05-18
OSV
firefox vulnerabilities2018-05-11
OSV
CVE-2018-5173: The filename appearing in the "Downloads" panel improperly renders some Unicode characters, allowing for the file name to be spoofed2018-05-11

📋Vendor Advisories

4
Ubuntu
Firefox regression2018-05-18
Ubuntu
Firefox vulnerabilities2018-05-11
Red Hat
Mozilla: File name spoofing of Downloads panel with Unicode characters2018-05-09
Debian
CVE-2018-5173: firefox - The filename appearing in the "Downloads" panel improperly renders some Unicode ...2018

💬Community

1
Bugzilla
CVE-2018-5173 Mozilla: File name spoofing of Downloads panel with Unicode characters2018-05-09