Vulnerability Description
If an HTTP authentication prompt is triggered by a background network request from a page or extension, it is displayed over the currently loaded foreground page. Although the prompt contains the real domain making the request, this can result in user confusion about the originating site of the authentication request and may cause users to mistakenly send private credential information to a third party site. This vulnerability affects Firefox < 58.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mozilla | Firefox | <= 57.0.4 |
| Canonical | Ubuntu Linux | 14.04 |
Related Weaknesses (CWE)
References
- http://www.securityfocus.com/bid/102786Third Party AdvisoryVDB Entry
- http://www.securitytracker.com/id/1040270Third Party AdvisoryVDB Entry
- https://bugzilla.mozilla.org/show_bug.cgi?id=1409449Issue TrackingPermissions Required
- https://usn.ubuntu.com/3544-1/Third Party Advisory
- https://www.mozilla.org/security/advisories/mfsa2018-02/Vendor Advisory
- http://www.securityfocus.com/bid/102786Third Party AdvisoryVDB Entry
- http://www.securitytracker.com/id/1040270Third Party AdvisoryVDB Entry
- https://bugzilla.mozilla.org/show_bug.cgi?id=1409449Issue TrackingPermissions Required
- https://usn.ubuntu.com/3544-1/Third Party Advisory
- https://www.mozilla.org/security/advisories/mfsa2018-02/Vendor Advisory
FAQ
What is CVE-2018-5115?
CVE-2018-5115 is a vulnerability with a CVSS score of 7.5 (HIGH). If an HTTP authentication prompt is triggered by a background network request from a page or extension, it is displayed over the currently loaded foreground page. Although the prompt contains the real...
How severe is CVE-2018-5115?
CVE-2018-5115 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-5115?
Check the references section above for vendor advisories and patch information. Affected products include: Mozilla Firefox, Canonical Ubuntu Linux.