CVE-2018-5182Sensitive Information Exposure in Mozilla Firefox

CWE-200Sensitive Information ExposureCWE-22Path Traversal10 documents7 sources
Severity
7.5HIGHNVD
OSV9.8
EPSS
1.0%
top 22.83%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Mozilla FirefoxDebian FirefoxCanonical Ubuntu Linux
Timeline
PublishedJun 11
Latest updateMay 14

Description

If a text string that happens to be a filename in the operating system's native format is dragged and dropped onto the addressbar the specified local file will be opened. This is contrary to policy and is what would happen if the string were the equivalent "file:" URL. This vulnerability affects Firefox < 60.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

debiandebian/firefox< firefox 60.0-1 (sid)
CVEListV5mozilla/firefoxunspecified60
NVDmozilla/firefox< 60.0
Ubuntumozilla/firefox< 60.0+build2-0ubuntu0.14.04.1+5

Also affects: Ubuntu Linux 14.04, 16.04, 17.10, 18.04

🔴Vulnerability Details

4
GHSA
GHSA-857q-6rrg-fqm2: If a text string that happens to be a filename in the operating system's native format is dragged and dropped onto the addressbar the specified local2022-05-14
OSV
firefox regression2018-05-18
OSV
firefox vulnerabilities2018-05-11
OSV
CVE-2018-5182: If a text string that happens to be a filename in the operating system's native format is dragged and dropped onto the addressbar the specified local2018-05-11

📋Vendor Advisories

4
Ubuntu
Firefox regression2018-05-18
Ubuntu
Firefox vulnerabilities2018-05-11
Red Hat
Mozilla: Local file can be displayed from hyperlink dragged and dropped on addressbar2018-05-09
Debian
CVE-2018-5182: firefox - If a text string that happens to be a filename in the operating system's native ...2018

💬Community

1
Bugzilla
CVE-2018-5182 Mozilla: Local file can be displayed from hyperlink dragged and dropped on addressbar2018-05-09