CVE-2018-12368
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
Windows 10 does not warn users before opening executable files with the SettingContent-ms extension even when they have been downloaded from the internet and have the "Mark of the Web." Without the warning, unsuspecting users unfamiliar with this new file type might run an unwanted executable. This also allows a WebExtension with the limited downloads.open permission to execute arbitrary code without user interaction on Windows 10 systems. *Note: this issue only affects Windows operating systems. Other operating systems are unaffected.*. This vulnerability affects Thunderbird < 60, Thunderbird < 52.9, Firefox ESR < 60.1, Firefox ESR < 52.9, and Firefox < 61.
Windows 10 no advierte a los usuarios antes de abrir archivos ejecutables con la extensión SettingContent-ms incluso aunque hayan sido descargados de Internet y tengan la "marca de la web". Sin la advertencia, los usuarios incautos que no están familiarizados con este nuevo tipo de archivo podrían ejecutar un archivo no deseado. Esto también permite que una WebExtension con el permiso limitado downloads.open ejecute código arbitrario sin interacción del usuario en sistemas Windows 10. Nota: este problema solo afecta a sistemas operativos Windows. Otros sistemas operativos no se han visto afectados *. La vulnerabilidad afecta a Thunderbird en versiones anteriores a la 60 y la 52.9, Firefox ESR en versiones anteriores a la 60.1 y la 52.9 y Firefox en versiones anteriores a la 61.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2018-06-14 CVE Reserved
- 2018-10-02 CVE Published
- 2024-08-05 CVE Updated
- 2024-08-05 First Exploit
- 2024-09-27 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
CAPEC
References (9)
| URL | Tag | Source |
|---|---|---|
| http://www.securityfocus.com/bid/104560 | Third Party Advisory | |
| http://www.securitytracker.com/id/1041193 | Third Party Advisory |
| URL | Date | SRC |
|---|---|---|
| https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39 | 2024-08-05 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://security.gentoo.org/glsa/201810-01 | 2019-10-03 | |
| https://www.mozilla.org/security/advisories/mfsa2018-15 | 2019-10-03 | |
| https://www.mozilla.org/security/advisories/mfsa2018-16 | 2019-10-03 | |
| https://www.mozilla.org/security/advisories/mfsa2018-17 | 2019-10-03 | |
| https://www.mozilla.org/security/advisories/mfsa2018-18 | 2019-10-03 | |
| https://www.mozilla.org/security/advisories/mfsa2018-19 | 2019-10-03 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Mozilla Search vendor "Mozilla" | Firefox Search vendor "Mozilla" for product "Firefox" | < 61.0 Search vendor "Mozilla" for product "Firefox" and version " < 61.0" | - |
Affected
| in | Microsoft Search vendor "Microsoft" | Windows 10 Search vendor "Microsoft" for product "Windows 10" | * | - |
Safe
|
| Mozilla Search vendor "Mozilla" | Firefox Esr Search vendor "Mozilla" for product "Firefox Esr" | < 52.9 Search vendor "Mozilla" for product "Firefox Esr" and version " < 52.9" | - |
Affected
| in | Microsoft Search vendor "Microsoft" | Windows 10 Search vendor "Microsoft" for product "Windows 10" | * | - |
Safe
|
| Mozilla Search vendor "Mozilla" | Firefox Esr Search vendor "Mozilla" for product "Firefox Esr" | >= 53.0 < 60.1.0 Search vendor "Mozilla" for product "Firefox Esr" and version " >= 53.0 < 60.1.0" | - |
Affected
| in | Microsoft Search vendor "Microsoft" | Windows 10 Search vendor "Microsoft" for product "Windows 10" | * | - |
Safe
|
| Mozilla Search vendor "Mozilla" | Thunderbird Search vendor "Mozilla" for product "Thunderbird" | < 52.9 Search vendor "Mozilla" for product "Thunderbird" and version " < 52.9" | - |
Affected
| in | Microsoft Search vendor "Microsoft" | Windows 10 Search vendor "Microsoft" for product "Windows 10" | * | - |
Safe
|