CVE-2018-5152 — MEDIUM (6.5)

Q: How severe is CVE-2018-5152?

CVE-2018-5152 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2018-5152?

Check the references section above for vendor advisories and patch information. Affected products include: Mozilla Firefox, Canonical Ubuntu Linux.

Vulnerability Description

WebExtensions with the appropriate permissions can attach content scripts to Mozilla sites such as accounts.firefox.com and listen to network traffic to the site through the "webRequest" API. For example, this allows for the interception of username and an encrypted password during login to Firefox Accounts. This issue does not expose synchronization traffic directly and is limited to the process of user login to the website and the data displayed to the user once logged in. This vulnerability affects Firefox < 60.

CVSS Score

6.5

MEDIUM

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Mozilla	Firefox	< 60.0
Canonical	Ubuntu Linux	14.04

Related Weaknesses (CWE)

CWE-327

References

http://www.securityfocus.com/bid/104139Third Party AdvisoryVDB Entry
http://www.securitytracker.com/id/1040896Third Party AdvisoryVDB Entry
https://bugzilla.mozilla.org/show_bug.cgi?id=1415644Issue TrackingPatchThird Party Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=1427289Issue TrackingPermissions RequiredThird Party Advisory
https://usn.ubuntu.com/3645-1/Third Party Advisory
https://www.mozilla.org/security/advisories/mfsa2018-11/Vendor Advisory
http://www.securityfocus.com/bid/104139Third Party AdvisoryVDB Entry
http://www.securitytracker.com/id/1040896Third Party AdvisoryVDB Entry
https://bugzilla.mozilla.org/show_bug.cgi?id=1415644Issue TrackingPatchThird Party Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=1427289Issue TrackingPermissions RequiredThird Party Advisory
https://usn.ubuntu.com/3645-1/Third Party Advisory
https://www.mozilla.org/security/advisories/mfsa2018-11/Vendor Advisory

FAQ

What is CVE-2018-5152?

CVE-2018-5152 is a vulnerability with a CVSS score of 6.5 (MEDIUM). WebExtensions with the appropriate permissions can attach content scripts to Mozilla sites such as accounts.firefox.com and listen to network traffic to the site through the "webRequest" API. For exam...

How severe is CVE-2018-5152?

CVE-2018-5152 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2018-5152?

Check the references section above for vendor advisories and patch information. Affected products include: Mozilla Firefox, Canonical Ubuntu Linux.