PT-2018-3045 · Mozilla+3 · Firefox+3

Abdulrahman Alqabandi

Published

2018-05-09

Updated

2024-12-12

CVE-2018-5173

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:N/I:C/A:N

Name of the Vulnerable Software and Affected Versions Firefox versions prior to 60

Description The issue arises from the improper rendering of some Unicode characters in the filename displayed in the "Downloads" panel. This can lead to the file extension of potentially executable files being obscured from the user's view, although the full, correct filename and its executability status are shown in the file open dialog. The vulnerability can be exploited to conduct spoofing attacks.

Recommendations For versions prior to 60, update to version 60 or later to resolve the issue. As a temporary workaround, consider verifying the file type and extension through the file open dialog to ensure the file's authenticity before opening. Restrict access to potentially executable files downloaded from untrusted sources to minimize the risk of exploitation.

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

ALT-PU-2018-1787

ALT-PU-2018-1854

BDU:2019-03513

CVE-2018-5173

OPENSUSE-SU-2024:10600-1

OPENSUSE-SU-2024:14572-1

SUSE-SU-2019:2872-1

USN-3645-1

USN-3645-2

Affected Products

Alt Linux

Firefox

Suse

Ubuntu

PT-2018-3045 · Mozilla+3 · Firefox+3

CVE-2018-5173

Weakness Enumeration

Related Identifiers

Affected Products

References · 1931