CVE-2018-12368 — Vulnetix

Try Vulnetix Request Demo

CVE-2018-12368 PUBLISHED CVSS 8.100000381469727 HIGH

Windows 10 does not warn users before opening executable files with the SettingContent-ms extension even when they have been downloaded from the internet and have the "Mark of the Web." Without the warning, unsuspecting users unfamiliar with this new file type might run an unwanted executable. This also allows a WebExtension with the limited downloads.open permission to execute arbitrary code without user interaction on Windows 10 systems. *Note: this issue only affects Windows operating systems. Other operating systems are unaffected.*. This vulnerability affects Thunderbird < 60, Thunderbird < 52.9, Firefox ESR < 60.1, Firefox ESR < 52.9, and Firefox < 61.

EPSS 1.95% · 83.4th percentile

Risk Scores

CVSS v3.0

8.100000381469727

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

1.95%

83.4th percentile

Affected Products

Vendor	Product	Versions
mozilla	firefox_esr	0
Mozilla	Thunderbird	unspecified, unspecified
mozilla	firefox	0, 53.0
mozilla	thunderbird	0
Mozilla	Firefox	unspecified
Mozilla	Firefox ESR	unspecified, unspecified

Timeline

Aug 7, 2018 CVE Published
Apr 14, 2021 EPSS Score
Jun 22, 2021 EPSS Score
Oct 24, 2021 EPSS Score
Dec 25, 2021 EPSS Score
Feb 25, 2022 EPSS Score
Apr 28, 2022 EPSS Score
Jun 29, 2022 EPSS Score
Nov 1, 2022 EPSS Score
Jan 2, 2023 EPSS Score
Mar 5, 2023 EPSS Score
May 6, 2023 EPSS Score

References

…and 1 more

Open in Interactive Console →