cbcvebase.
CVE-2018-5182
published 2018-06-11

CVE-2018-5182: If a text string that happens to be a filename in the operating system's native format is dragged and dropped onto the addressbar the specified local file will…

PriorityP337high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
EPSS
2.08%
79.3th percentile
If a text string that happens to be a filename in the operating system's native format is dragged and dropped onto the addressbar the specified local file will be opened. This is contrary to policy and is what would happen if the string were the equivalent "file:" URL. This vulnerability affects Firefox < 60.

Affected

13 ranges
VendorProductVersion rangeFixed in
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
debianfirefox< firefox 60.0-1 (sid)firefox 60.0-1 (sid)
mozillafirefox< 60.060.0
mozillafirefox>= 0 < 60.0+build2-0ubuntu0.14.04.160.0+build2-0ubuntu0.14.04.1
mozillafirefox>= 0 < 60.0.1+build2-0ubuntu0.14.04.160.0.1+build2-0ubuntu0.14.04.1
mozillafirefox>= 0 < 60.0+build2-0ubuntu0.16.04.160.0+build2-0ubuntu0.16.04.1
mozillafirefox>= 0 < 60.0.1+build2-0ubuntu0.16.04.160.0.1+build2-0ubuntu0.16.04.1
mozillafirefox>= 0 < 60.0+build2-0ubuntu160.0+build2-0ubuntu1
mozillafirefox>= 0 < 60.0.1+build2-0ubuntu0.18.04.160.0.1+build2-0ubuntu0.18.04.1
mozillafirefox>= unspecified < 6060

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
osv9.8CRITICAL
vendor_ubuntu9.8CRITICAL
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.