// For flags

CVE-2018-12396

Mozilla: WebExtension content scripts can execute in disallowed contexts

Severity Score

6.5
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

A vulnerability where a WebExtension can run content scripts in disallowed contexts following navigation or other events. This allows for potential privilege escalation by the WebExtension on sites where content scripts should not be run. This vulnerability affects Firefox ESR < 60.3 and Firefox < 63.

Una vulnerabilidad en la que WebExtensions pueden ejecutar scripts de contenido en contextos no permitidos tras una navegación u otros eventos. Esto permite el escalado de privilegios potencial mediante WebExtensions en sitios en los que los scripts de contenido no deberían ejecutarse. La vulnerabilidad afecta a Firefox ESR en versiones anteriores a la 60.3 y Firefox en versiones anteriores a la 63.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
None
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2018-06-14 CVE Reserved
  • 2018-10-25 CVE Published
  • 2024-08-05 CVE Updated
  • 2024-10-17 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-284: Improper Access Control
  • CWE-732: Incorrect Permission Assignment for Critical Resource
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Mozilla
Search vendor "Mozilla"
Firefox
Search vendor "Mozilla" for product "Firefox"
< 63.0
Search vendor "Mozilla" for product "Firefox" and version " < 63.0"
-
Affected
Mozilla
Search vendor "Mozilla"
Firefox Esr
Search vendor "Mozilla" for product "Firefox Esr"
< 60.3
Search vendor "Mozilla" for product "Firefox Esr" and version " < 60.3"
-
Affected
Debian
Search vendor "Debian"
Debian Linux
Search vendor "Debian" for product "Debian Linux"
8.0
Search vendor "Debian" for product "Debian Linux" and version "8.0"
-
Affected
Debian
Search vendor "Debian"
Debian Linux
Search vendor "Debian" for product "Debian Linux"
9.0
Search vendor "Debian" for product "Debian Linux" and version "9.0"
-
Affected
Canonical
Search vendor "Canonical"
Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
14.04
Search vendor "Canonical" for product "Ubuntu Linux" and version "14.04"
lts
Affected
Canonical
Search vendor "Canonical"
Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
16.04
Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04"
lts
Affected
Canonical
Search vendor "Canonical"
Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
18.04
Search vendor "Canonical" for product "Ubuntu Linux" and version "18.04"
lts
Affected
Canonical
Search vendor "Canonical"
Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
18.10
Search vendor "Canonical" for product "Ubuntu Linux" and version "18.10"
-
Affected
Redhat
Search vendor "Redhat"
Enterprise Linux Desktop
Search vendor "Redhat" for product "Enterprise Linux Desktop"
6.0
Search vendor "Redhat" for product "Enterprise Linux Desktop" and version "6.0"
-
Affected
Redhat
Search vendor "Redhat"
Enterprise Linux Desktop
Search vendor "Redhat" for product "Enterprise Linux Desktop"
7.0
Search vendor "Redhat" for product "Enterprise Linux Desktop" and version "7.0"
-
Affected
Redhat
Search vendor "Redhat"
Enterprise Linux Server
Search vendor "Redhat" for product "Enterprise Linux Server"
6.0
Search vendor "Redhat" for product "Enterprise Linux Server" and version "6.0"
-
Affected
Redhat
Search vendor "Redhat"
Enterprise Linux Server
Search vendor "Redhat" for product "Enterprise Linux Server"
7.0
Search vendor "Redhat" for product "Enterprise Linux Server" and version "7.0"
-
Affected
Redhat
Search vendor "Redhat"
Enterprise Linux Server Aus
Search vendor "Redhat" for product "Enterprise Linux Server Aus"
7.6
Search vendor "Redhat" for product "Enterprise Linux Server Aus" and version "7.6"
-
Affected
Redhat
Search vendor "Redhat"
Enterprise Linux Server Eus
Search vendor "Redhat" for product "Enterprise Linux Server Eus"
7.6
Search vendor "Redhat" for product "Enterprise Linux Server Eus" and version "7.6"
-
Affected
Redhat
Search vendor "Redhat"
Enterprise Linux Server Tus
Search vendor "Redhat" for product "Enterprise Linux Server Tus"
7.6
Search vendor "Redhat" for product "Enterprise Linux Server Tus" and version "7.6"
-
Affected
Redhat
Search vendor "Redhat"
Enterprise Linux Workstation
Search vendor "Redhat" for product "Enterprise Linux Workstation"
6.0
Search vendor "Redhat" for product "Enterprise Linux Workstation" and version "6.0"
-
Affected
Redhat
Search vendor "Redhat"
Enterprise Linux Workstation
Search vendor "Redhat" for product "Enterprise Linux Workstation"
7.0
Search vendor "Redhat" for product "Enterprise Linux Workstation" and version "7.0"
-
Affected