CVE-2018-5117
Mozilla: URL spoofing with right-to-left text aligned left-to-right (MFSA 2018-03)
Severity Score
Exploit Likelihood
Affected Versions
22Public Exploits
0Exploited in Wild
-Decision
Descriptions
If right-to-left text is used in the addressbar with left-to-right alignment, it is possible in some circumstances to scroll this text to spoof the displayed URL. This issue could result in the wrong URL being displayed as a location, which can mislead users to believe they are on a different site than the one loaded. This vulnerability affects Thunderbird < 52.6, Firefox ESR < 52.6, and Firefox < 58.
Si se utiliza texto de derecha a izquierda en la barra de direcciones con alineaciĆ³n de izquierda a derecha, en algunas circunstancias es posible desplazar este texto para falsificar la URL mostrada. Este problema puede provocar que se muestre una URL incorrecta como ubicaciĆ³n, lo que puede inducir a los usuarios a error al creer que se encuentran en un sitio diferente al que se ha cargado. Esta vulnerabilidad afecta a las versiones anteriores a la 52.6 de Thunderbird, las versiones anteriores a la 52.6 de Firefox ESR y las versiones anteriores a la 58 de Firefox.
It was discovered that a From address encoded with a null character is cut off in the message header display. An attacker could potentially exploit this to spoof the sender address. It was discovered that it is possible to execute JavaScript in RSS feeds in some circumstances. If a user were tricked in to opening a specially crafted RSS feed, an attacker could potentially exploit this in combination with another vulnerability, in order to cause unspecified problems. Various other issues were also addressed.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2018-01-03 CVE Reserved
- 2018-01-24 CVE Published
- 2024-08-05 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-451: User Interface (UI) Misrepresentation of Critical Information
CAPEC
References (15)
| URL | Tag | Source |
|---|---|---|
| http://www.securityfocus.com/bid/102783 | Third Party Advisory | |
| http://www.securitytracker.com/id/1040270 | Third Party Advisory | |
| https://lists.debian.org/debian-lts-announce/2018/0... | Mailing List |
|
| https://lists.debian.org/debian-lts-announce/2018/0... | Mailing List |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/errata/RHSA-2018:0122 | 2019-10-03 | |
| https://access.redhat.com/errata/RHSA-2018:0262 | 2019-10-03 | |
| https://usn.ubuntu.com/3544-1 | 2019-10-03 | |
| https://www.debian.org/security/2018/dsa-4096 | 2019-10-03 | |
| https://www.debian.org/security/2018/dsa-4102 | 2019-10-03 | |
| https://www.mozilla.org/security/advisories/mfsa2018-02 | 2019-10-03 | |
| https://www.mozilla.org/security/advisories/mfsa2018-03 | 2019-10-03 | |
| https://www.mozilla.org/security/advisories/mfsa2018-04 | 2019-10-03 | |
| https://access.redhat.com/security/cve/CVE-2018-5117 | 2018-02-01 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1537825 | 2018-02-01 |