Vulnerability CVE-2018-5176: Information

Description

The JSON Viewer displays clickable hyperlinks for strings that are parseable as URLs, including "javascript:" links. If a JSON file contains malicious JavaScript script embedded as "javascript:" links, users may be tricked into clicking and running this code in the context of the JSON Viewer. This can allow for the theft of cookies and authorization tokens which are accessible to that context. This vulnerability affects Firefox < 60.

Severity: MEDIUM (6.1) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

URL: https://nvd.nist.gov/vuln/detail/CVE-2018-5176
Published: June 12, 2018
Modified: Aug. 3, 2018
Error type identifier: CWE-20

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
firefoxsisyphus60.0.1-alt1127.0-alt1ALT-PU-2018-1787-1206819Fixed
firefoxp1060.0.1-alt1118.0.2-alt0.p10.1ALT-PU-2018-1787-1206819Fixed
firefoxp960.0.1-alt1105.0.1-alt0.c9.1ALT-PU-2018-1787-1206819Fixed
firefoxp860.0.1-alt0.M80P.168.0.1-alt0.M80P.1ALT-PU-2018-1898-1206884Fixed
firefoxc10f160.0.1-alt1112.0.2-alt0.p10.1ALT-PU-2018-1787-1206819Fixed
firefoxc9f260.0.1-alt1105.0.1-alt0.c9.1ALT-PU-2018-1787-1206819Fixed
firefoxc760.6.1-alt0.M70C.160.8.0-alt0.M70C.1ALT-PU-2019-1726-1218597Fixed
firefoxp1160.0.1-alt1126.0.1-alt1ALT-PU-2018-1787-1206819Fixed
firefox-esrsisyphus60.0.1-alt1115.11.0-alt1ALT-PU-2018-1854-1207816Fixed
firefox-esrp1060.0.1-alt1115.11.0-alt1ALT-PU-2018-1854-1207816Fixed
firefox-esrp960.0.1-alt1102.11.0-alt0.c9.1ALT-PU-2018-1854-1207816Fixed
firefox-esrp860.1.0-alt0.M80P.168.4.1-alt0.M80P.1ALT-PU-2018-1966-1207865Fixed
firefox-esrc10f160.0.1-alt1115.9.1-alt0.c10.1ALT-PU-2018-1854-1207816Fixed
firefox-esrc9f260.0.1-alt1102.12.0-alt0.c9.1ALT-PU-2018-1854-1207816Fixed
firefox-esrp1160.0.1-alt1115.11.0-alt1ALT-PU-2018-1854-1207816Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://www.mozilla.org/security/advisories/mfsa2018-11/
  • Vendor Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=1442840
  • Issue Tracking
  • Permissions Required
  • Vendor Advisory
USN-3645-1
  • Third Party Advisory
1040896
  • Third Party Advisory
  • VDB Entry
104139
  • Third Party Advisory
  • VDB Entry

    1. Configuration 1

      cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
      cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
      cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*
      cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*

      Configuration 2

      cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
      End excliding
      60.0
VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
Version: v24.5.3
Back to top