CVE-2018-5175 — Cross-site Scripting in Mozilla Firefox
Severity
6.1MEDIUMNVD
OSV9.8
EPSS
0.6%
top 31.26%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedJun 11
Latest updateMay 13
Description
A mechanism to bypass Content Security Policy (CSP) protections on sites that have a "script-src" policy of "'strict-dynamic'". If a target website contains an HTML injection flaw an attacker could inject a reference to a copy of the "require.js" library that is part of Firefox's Developer Tools, and then use a known technique using that library to bypass the CSP restrictions on executing injected scripts. This vulnerability affects Firefox < 60.
CVSS vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7
Affected Packages4 packages
Also affects: Ubuntu Linux 14.04, 16.04, 17.10, 18.04
🔴Vulnerability Details
4GHSA▶
GHSA-c5vx-c657-hmcm: A mechanism to bypass Content Security Policy (CSP) protections on sites that have a "script-src" policy of "'strict-dynamic'"↗2022-05-13
OSV▶
CVE-2018-5175: A mechanism to bypass Content Security Policy (CSP) protections on sites that have a "script-src" policy of "'strict-dynamic'"↗2018-05-11