PT-2018-3019 · Mozilla+3 · Firefox+3

Andy Mckay

Publicado

2018-05-09

Atualizado

2024-12-12

CVE-2018-5152

CVSS v3.1

6.5

Média

Vetor

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Firefox versions prior to 60

Description The issue is related to WebExtensions with appropriate permissions that can attach content scripts to Mozilla sites, such as accounts.firefox.com, and listen to network traffic through the "webRequest" API. This allows for the interception of username and an encrypted password during login to Firefox Accounts. The issue is limited to the process of user login to the website and the data displayed to the user once logged in. It does not expose synchronization traffic directly.

Recommendations For versions prior to 60, update to version 60 or later to resolve the issue. As a temporary workaround, consider restricting the use of WebExtensions with the "webRequest" API permission to minimize the risk of exploitation. Avoid using WebExtensions that require sensitive information, such as username and password, until the issue is resolved.

Correção

Information Disclosure

Use of a Broken Cryptographic Algorithm

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-200CWE-327

Identificadores relacionados

ALT-PU-2018-1787

ALT-PU-2018-1854

BDU:2019-03418

CVE-2018-5152

OPENSUSE-SU-2024:10600-1

OPENSUSE-SU-2024:14572-1

SUSE-SU-2019:2872-1

USN-3645-1

USN-3645-2

Produtos afetados

Alt Linux

Firefox

Suse

Ubuntu

PT-2018-3019 · Mozilla+3 · Firefox+3

CVE-2018-5152

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 1933