CVE-2018-5176Improper Input Validation in Mozilla Firefox

CWE-20Improper Input ValidationCWE-79Cross-site Scripting10 documents7 sources
Severity
6.1MEDIUMNVD
OSV9.8
EPSS
0.4%
top 40.16%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Mozilla FirefoxDebian FirefoxCanonical Ubuntu Linux
Timeline
PublishedJun 11
Latest updateMay 14

Description

The JSON Viewer displays clickable hyperlinks for strings that are parseable as URLs, including "javascript:" links. If a JSON file contains malicious JavaScript script embedded as "javascript:" links, users may be tricked into clicking and running this code in the context of the JSON Viewer. This can allow for the theft of cookies and authorization tokens which are accessible to that context. This vulnerability affects Firefox < 60.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages4 packages

debiandebian/firefox< firefox 60.0-1 (sid)
CVEListV5mozilla/firefoxunspecified60
NVDmozilla/firefox< 60.0
Ubuntumozilla/firefox< 60.0+build2-0ubuntu0.14.04.1+5

Also affects: Ubuntu Linux 14.04, 16.04, 17.10, 18.04

🔴Vulnerability Details

4
GHSA
GHSA-x4p5-q86p-74vp: The JSON Viewer displays clickable hyperlinks for strings that are parseable as URLs, including "javascript:" links2022-05-14
OSV
firefox regression2018-05-18
OSV
CVE-2018-5176: The JSON Viewer displays clickable hyperlinks for strings that are parseable as URLs, including "javascript:" links2018-05-11
OSV
firefox vulnerabilities2018-05-11

📋Vendor Advisories

4
Ubuntu
Firefox regression2018-05-18
Ubuntu
Firefox vulnerabilities2018-05-11
Red Hat
Mozilla: JSON Viewer script injection2018-05-09
Debian
CVE-2018-5176: firefox - The JSON Viewer displays clickable hyperlinks for strings that are parseable as ...2018

💬Community

1
Bugzilla
CVE-2018-5176 Mozilla: JSON Viewer script injection2018-05-09