#VU13490 Improper input validation in Mozilla Firefox - CVE-2018-12368

Cybersecurity Help s.r.o.

Published: 2018-06-27

Vulnerability identifier: #VU13490

Vulnerability risk: High

CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2018-12368

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Mozilla Firefox
Client/Desktop applications / Web browsers

Vendor: Mozilla

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to iWindows 10 does not warn users before opening executable files with the SettingContent-msextension even when they have been downloaded from the internet and have the "Mark of the Web". A remote unauthenticated attacker can trick the victim into visiting a specially crafted website, use WebExtension with the limited downloads.openpermission and execute arbitrary code without user interaction on Windows 10 systems

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation
Update to version 61.0.

Vulnerable software versions

Mozilla Firefox: 60.0 - 60.0.2

External links
https://www.mozilla.org/en-US/security/advisories/mfsa2018-15/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Gentoo update for Mozilla Firefox

Multiple vulnerabilities in Mozilla Thunderbird

Slackware Linux update for mozilla-thunderbird

Multiple vulnerabilities in Mozilla Thunderbird

Multiple vulnerabilities in Mozilla Firefox ESR

Multiple vulnerabilities in Mozilla Firefox