VDB
CVE-2018-12383
CVE-2018-12383
PUBLISHED
If a user saved passwords before Firefox 58 and then later set a master password, an unencrypted copy of these passwords is still accessible. This is because the older stored password file was not deleted when the data was copied to a new format starting in Firefox 58. The new master password is added only on the new file. This could allow the exposure of stored password data outside of user expectations. This vulnerability affects Firefox < 62, Firefox ESR < 60.2.1, and Thunderbird < 60.2.1.
EPSS 0.08% · 23.6th percentile
Risk Scores
EPSS Score
0.08%
23.6th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:16.04:LTS | thunderbird | *, *, * |
| Ubuntu:14.04:LTS | firefox | *, *, * |
| Ubuntu:18.04:LTS | thunderbird | *, 1:52.8.0+build1-0ubuntu0.18.04.1, 1:52.7.0+build1-0ubuntu1 |
| Ubuntu:18.04:LTS | firefox | 59.0.1+build1-0ubuntu1, 57.0.1+build2-0ubuntu1, 61.0.1+build1-0ubuntu0.18.04.1 |
| Ubuntu:14.04:LTS | thunderbird | 1:52.1.1+build1-0ubuntu0.14.04.1, 1:24.0+build1-0ubuntu1, 1:24.0+build1-0ubuntu2 |
| Ubuntu:16.04:LTS | firefox | 51.0.1+build2-0ubuntu0.16.04.1, 51.0.1+build2-0ubuntu0.16.04.2, 52.0+build2-0ubuntu0.16.04.1 |
Timeline
- Sep 6, 2018 CVE Published
- Apr 14, 2021 EPSS Score
- Jun 22, 2021 EPSS Score
- Aug 24, 2021 EPSS Score
- Oct 25, 2021 EPSS Score
- Dec 27, 2021 EPSS Score
- Feb 4, 2022 EPSS Score
- Feb 27, 2022 EPSS Score
- May 1, 2022 EPSS Score
- Sep 4, 2022 EPSS Score
- Nov 5, 2022 EPSS Score
- Jan 7, 2023 EPSS Score
References
- https://ubuntu.com/security/CVE-2018-12383 third-party-advisory
- https://www.mozilla.org/en-US/security/advisories/mfsa2018-20/#CVE-2018-12383 third-party-advisory
- https://www.mozilla.org/en-US/security/advisories/mfsa2018-25/#CVE-2018-12383 third-party-advisory
- https://ubuntu.com/security/notices/USN-3761-1 vendor-advisory
- https://ubuntu.com/security/notices/USN-3793-1 vendor-advisory
- https://www.cve.org/CVERecord?id=CVE-2018-12383 third-party-advisory