Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
4.3
CVSSv2

CVE-2018-12402

Published: 28/02/2019 Updated: 03/10/2019
CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6
CVSS v3 Base Score: 6.5 | Impact Score: 3.6 | Exploitability Score: 2.8
VMScore: 383
Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N
Subscribe to Mozilla

Vulnerability Summary

The internal WebBrowserPersist code does not use correct origin context for a resource being saved. This manifests when sub-resources are loaded as part of "Save Page As..." functionality. For example, a malicious page could recover a visitor's Windows username and NTLM hash by including resources otherwise unreachable to the malicious page, if they can convince the visitor to save the complete web page. Similarly, SameSite cookies are sent on cross-origin requests when the "Save Page As..." menu item is selected to save a page, which can result in saving the wrong version of resources based on those cookies. This vulnerability affects Firefox < 63.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

mozilla firefox

canonical ubuntu linux 16.04

canonical ubuntu linux 18.10

canonical ubuntu linux 14.04

canonical ubuntu linux 18.04

Vendor Advisories

Ubuntu Security Notice: firefox vulnerabilities
Firefox could be made to crash or run programs as your login if it opened a malicious website ...
Ubuntu Security Notice: firefox regressions
USN-3801-1 caused some minor regressions in Firefox ...
Mozilla: Security vulnerabilities fixed in Firefox 63
Mozilla Foundation Security Advisory 2018-26 Security vulnerabilities fixed in Firefox 63 Announced October 23, 2018 Impact critical Products Firefox Fixed in Firefox 63 ...
Arch Linux Issues:
A security issue has been found in Firefox versions prior to 630, where SameSite cookies are sent on cross-origin requests when the "Save Page As" menu item is selected to save a page, violating cookie policy This can result in saving the wrong version of resources based on those cookies ...

References

CWE-346https://www.mozilla.org/security/advisories/mfsa2018-26/https://bugzilla.mozilla.org/show_bug.cgi?id=1469916https://bugzilla.mozilla.org/show_bug.cgi?id=1447087https://usn.ubuntu.com/3801-1/http://www.securitytracker.com/id/1041944http://www.securityfocus.com/bid/105721https://nvd.nist.govhttps://usn.ubuntu.com/3801-1/
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
deserializationCVE-2024-4040cross-site scriptingCVE-2023-25790CVE-2024-2961XML external entityCVE-2024-26926CVE-2024-32806CVE-2024-32711
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook