CVE-2018-5116
Publication date 23 January 2018
Last updated 24 July 2024
Ubuntu priority
WebExtensions with the "ActiveTab" permission are able to access frames hosted within the active tab even if the frames are cross-origin. Malicious extensions can inject frames from arbitrary origins into the loaded page and then interact with them, bypassing same-origin user expectations with this permission. This vulnerability affects Firefox < 58.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| firefox | 18.04 LTS bionic |
Fixed 59.0.1+build1-0ubuntu1
|
| 16.04 LTS xenial |
Fixed 58.0+build6-0ubuntu0.16.04.1
|
|
| 14.04 LTS trusty |
Fixed 58.0+build6-0ubuntu0.14.04.1
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
9.8 · Critical
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-3544-1
- Firefox vulnerabilities
- 24 January 2018