CVE-2018-5167
Publication date 11 May 2018
Last updated 24 July 2024
Ubuntu priority
The web console and JavaScript debugger do not sanitize all output that can be hyperlinked. Both will display "chrome:" links as active, clickable hyperlinks in their output. Web sites should not be able to directly link to internal chrome pages. Additionally, the JavaScript debugger will display "javascript:" links, which users could be tricked into clicking by malicious sites. This vulnerability affects Firefox < 60.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| firefox | 18.04 LTS bionic |
Fixed 60.0+build2-0ubuntu1
|
| 16.04 LTS xenial |
Fixed 60.0+build2-0ubuntu0.16.04.1
|
|
| 14.04 LTS trusty |
Fixed 60.0+build2-0ubuntu0.14.04.1
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
4.3 · Medium
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | Required |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | Low |
| Availability impact | None |
| Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N |
References
Related Ubuntu Security Notices (USN)
- USN-3645-1
- Firefox vulnerabilities
- 11 May 2018