VDB
CVE-2018-12397
CVE-2018-12397
PUBLISHED
A WebExtension can request access to local files without the warning prompt stating that the extension will "Access your data for all websites" being displayed to the user. This allows extensions to run content scripts in local pages without permission warnings when a local file is opened. This vulnerability affects Firefox ESR < 60.3 and Firefox < 63.
EPSS 0.07% · 21.7th percentile
Risk Scores
EPSS Score
0.07%
21.7th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:18.04:LTS | firefox | *, *, 62.0+build2-0ubuntu0.18.04.5 |
| Ubuntu:14.04:LTS | firefox | 34.0+build2-0ubuntu0.14.04.1, 35.0+build3-0ubuntu0.14.04.2, 35.0.1+build1-0ubuntu0.14.04.1 |
| Ubuntu:18.04:LTS | mozjs52 | 52.3.1-0ubuntu3, 52.8.1-0ubuntu0.18.04.1, 0 |
| Ubuntu:18.04:LTS | mozjs38 | 0, 38.8.0~repack1-0ubuntu4, 38.8.0~repack1-0ubuntu3 |
| Ubuntu:20.04:LTS | mozjs52 | 52.9.1-1ubuntu3, 0, 52.9.1-1build1 |
| Ubuntu:16.04:LTS | firefox | 0, *, * |
Timeline
- Oct 24, 2018 CVE Published
- Apr 14, 2021 EPSS Score
- Jun 23, 2021 EPSS Score
- Aug 24, 2021 EPSS Score
- Oct 26, 2021 EPSS Score
- Dec 27, 2021 EPSS Score
- Feb 4, 2022 EPSS Score
- Feb 28, 2022 EPSS Score
- May 2, 2022 EPSS Score
- Sep 5, 2022 EPSS Score
- Nov 6, 2022 EPSS Score
- Jan 8, 2023 EPSS Score
References
- https://ubuntu.com/security/CVE-2018-12397 third-party-advisory
- https://www.mozilla.org/en-US/security/advisories/mfsa2018-27/#CVE-2018-12397 third-party-advisory
- https://www.mozilla.org/en-US/security/advisories/mfsa2018-26/#CVE-2018-12397 third-party-advisory
- https://ubuntu.com/security/notices/USN-3801-1 vendor-advisory
- https://www.cve.org/CVERecord?id=CVE-2018-12397 third-party-advisory