CVE-2018-12399
Ubuntu Security Notice USN-3801-1
Severity Score
Exploit Likelihood
Affected Versions
5Public Exploits
0Exploited in Wild
-Decision
Descriptions
When a new protocol handler is registered, the API accepts a title argument which can be used to mislead users about which domain is registering the new protocol. This may result in the user approving a protocol handler that they otherwise would not have. This vulnerability affects Firefox < 63.
Cuando se registra un nuevo manipulador de protocolos, la API acepta un argumento de títulos que puede utilizarse para engañar a los usuarios para que duden sobre el dominio que está registrando el nuevo protocolo. Esto puede provocar que el usuario apruebe un manipulador de protocolo que normalmente no tendría. Esta vulnerabilidad afecta a las versiones anteriores a la 63 de Firefox.
Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, bypass CSP restrictions, spoof the protocol registration notification bar, leak SameSite cookies, bypass mixed content warnings, or execute arbitrary code. Various other issues were also addressed.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2018-06-14 CVE Reserved
- 2018-10-24 CVE Published
- 2024-08-05 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-287: Improper Authentication
CAPEC
References (4)
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://usn.ubuntu.com/3801-1 | 2019-03-01 | |
| https://www.mozilla.org/security/advisories/mfsa2018-26 | 2019-03-01 |