Vulnerability Description
The JSON Viewer displays clickable hyperlinks for strings that are parseable as URLs, including "javascript:" links. If a JSON file contains malicious JavaScript script embedded as "javascript:" links, users may be tricked into clicking and running this code in the context of the JSON Viewer. This can allow for the theft of cookies and authorization tokens which are accessible to that context. This vulnerability affects Firefox < 60.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Canonical | Ubuntu Linux | 14.04 |
| Mozilla | Firefox | < 60.0 |
Related Weaknesses (CWE)
References
- http://www.securityfocus.com/bid/104139Third Party AdvisoryVDB Entry
- http://www.securitytracker.com/id/1040896Third Party AdvisoryVDB Entry
- https://bugzilla.mozilla.org/show_bug.cgi?id=1442840Issue TrackingPermissions RequiredVendor Advisory
- https://usn.ubuntu.com/3645-1/Third Party Advisory
- https://www.mozilla.org/security/advisories/mfsa2018-11/Vendor Advisory
- http://www.securityfocus.com/bid/104139Third Party AdvisoryVDB Entry
- http://www.securitytracker.com/id/1040896Third Party AdvisoryVDB Entry
- https://bugzilla.mozilla.org/show_bug.cgi?id=1442840Issue TrackingPermissions RequiredVendor Advisory
- https://usn.ubuntu.com/3645-1/Third Party Advisory
- https://www.mozilla.org/security/advisories/mfsa2018-11/Vendor Advisory
FAQ
What is CVE-2018-5176?
CVE-2018-5176 is a vulnerability with a CVSS score of 6.1 (MEDIUM). The JSON Viewer displays clickable hyperlinks for strings that are parseable as URLs, including "javascript:" links. If a JSON file contains malicious JavaScript script embedded as "javascript:" links...
How severe is CVE-2018-5176?
CVE-2018-5176 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-5176?
Check the references section above for vendor advisories and patch information. Affected products include: Canonical Ubuntu Linux, Mozilla Firefox.