PT-2018-3019 · Mozilla+3 · Firefox+3

Andy Mckay

Published

2018-05-09

Updated

2024-12-12

CVE-2018-5152

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Firefox versions prior to 60

Description The issue is related to WebExtensions with appropriate permissions that can attach content scripts to Mozilla sites, such as accounts.firefox.com, and listen to network traffic through the "webRequest" API. This allows for the interception of username and an encrypted password during login to Firefox Accounts. The issue is limited to the process of user login to the website and the data displayed to the user once logged in. It does not expose synchronization traffic directly.

Recommendations For versions prior to 60, update to version 60 or later to resolve the issue. As a temporary workaround, consider restricting the use of WebExtensions with the "webRequest" API permission to minimize the risk of exploitation. Avoid using WebExtensions that require sensitive information, such as username and password, until the issue is resolved.

Fix

Information Disclosure

Use of a Broken Cryptographic Algorithm

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200CWE-327

Related Identifiers

ALT-PU-2018-1787

ALT-PU-2018-1854

BDU:2019-03418

CVE-2018-5152

OPENSUSE-SU-2024:10600-1

OPENSUSE-SU-2024:14572-1

SUSE-SU-2019:2872-1

USN-3645-1

USN-3645-2

Affected Products

Alt Linux

Firefox

Suse

Ubuntu

PT-2018-3019 · Mozilla+3 · Firefox+3

CVE-2018-5152

Weakness Enumeration

Related Identifiers

Affected Products

References · 1933