6.5

CVE-2018-12402

The internal WebBrowserPersist code does not use correct origin context for a resource being saved. This manifests when sub-resources are loaded as part of "Save Page As..." functionality. For example, a malicious page could recover a visitor's Windows username and NTLM hash by including resources otherwise unreachable to the malicious page, if they can convince the visitor to save the complete web page. Similarly, SameSite cookies are sent on cross-origin requests when the "Save Page As..." menu item is selected to save a page, which can result in saving the wrong version of resources based on those cookies. This vulnerability affects Firefox < 63.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)
MozillaFirefox Version < 63.0
CanonicalUbuntu Linux Version14.04 SwEditionlts
CanonicalUbuntu Linux Version16.04 SwEditionlts
CanonicalUbuntu Linux Version18.04 SwEditionlts
CanonicalUbuntu Linux Version18.10
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.38% 0.587
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 6.5 2.8 3.6
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
nvd@nist.gov 4.3 8.6 2.9
AV:N/AC:M/Au:N/C:P/I:N/A:N
CWE-346 Origin Validation Error

The product does not properly verify that the source of data or communication is valid.

http://www.securityfocus.com/bid/105721
Third Party Advisory
VDB Entry
http://www.securitytracker.com/id/1041944
Third Party Advisory
VDB Entry
https://usn.ubuntu.com/3801-1/
Third Party Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=1447087
Vendor Advisory
Issue Tracking
Permissions Required
https://bugzilla.mozilla.org/show_bug.cgi?id=1469916
Vendor Advisory
Issue Tracking
Permissions Required