CVE-2018-5175 — MEDIUM (6.1)

Q: How severe is CVE-2018-5175?

CVE-2018-5175 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2018-5175?

Check the references section above for vendor advisories and patch information. Affected products include: Canonical Ubuntu Linux, Mozilla Firefox.

Vulnerability Description

A mechanism to bypass Content Security Policy (CSP) protections on sites that have a "script-src" policy of "'strict-dynamic'". If a target website contains an HTML injection flaw an attacker could inject a reference to a copy of the "require.js" library that is part of Firefox's Developer Tools, and then use a known technique using that library to bypass the CSP restrictions on executing injected scripts. This vulnerability affects Firefox < 60.

CVSS Score

6.1

MEDIUM

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Canonical	Ubuntu Linux	14.04
Mozilla	Firefox	< 60.0

Related Weaknesses (CWE)

CWE-79

References

http://www.securityfocus.com/bid/104139Third Party AdvisoryVDB Entry
http://www.securitytracker.com/id/1040896Third Party AdvisoryVDB Entry
https://bugzilla.mozilla.org/show_bug.cgi?id=1432358Issue TrackingPermissions RequiredVendor Advisory
https://usn.ubuntu.com/3645-1/Third Party Advisory
https://www.mozilla.org/security/advisories/mfsa2018-11/Vendor Advisory
http://www.securityfocus.com/bid/104139Third Party AdvisoryVDB Entry
http://www.securitytracker.com/id/1040896Third Party AdvisoryVDB Entry
https://bugzilla.mozilla.org/show_bug.cgi?id=1432358Issue TrackingPermissions RequiredVendor Advisory
https://usn.ubuntu.com/3645-1/Third Party Advisory
https://www.mozilla.org/security/advisories/mfsa2018-11/Vendor Advisory

FAQ

What is CVE-2018-5175?

CVE-2018-5175 is a vulnerability with a CVSS score of 6.1 (MEDIUM). A mechanism to bypass Content Security Policy (CSP) protections on sites that have a "script-src" policy of "'strict-dynamic'". If a target website contains an HTML injection flaw an attacker could in...

How severe is CVE-2018-5175?

CVE-2018-5175 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2018-5175?

Check the references section above for vendor advisories and patch information. Affected products include: Canonical Ubuntu Linux, Mozilla Firefox.