PT-2017-3684 · Mozilla+2 · Firefox+2

Rob Wu

Published

2017-08-16

Updated

2024-12-12

CVE-2018-5105

CVSS v3.1

7.8

High

Vector

AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions: Firefox versions prior to 58

Description: The issue is related to WebExtensions, which can bypass user prompts, allowing an arbitrarily downloaded file to be saved and then opened. This can lead to an executable file running with local user privileges without explicit user consent. The exploitation of this issue may allow an attacker to elevate their privileges.

Recommendations: For versions prior to 58, update to version 58 or later to resolve the issue. As a temporary workaround, consider disabling WebExtensions until a patch is available. Restrict access to downloadable files to minimize the risk of exploitation. Avoid using WebExtensions to open downloaded files until the issue is resolved.

Fix

Improper Privilege Management

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-269

Related Identifiers

ALT-PU-2018-1178

ALT-PU-2018-1854

BDU:2018-00877

CVE-2018-5105

OPENSUSE-SU-2024:10600-1

OPENSUSE-SU-2024:14572-1

USN-3544-1

USN-3544-2

Affected Products

Alt Linux

Firefox

Ubuntu

PT-2017-3684 · Mozilla+2 · Firefox+2

CVE-2018-5105

Weakness Enumeration

Related Identifiers

Affected Products

References · 1910