CVE-2018-5168

🗓️ 11 Jun 2018 21:00:00Reported by mozillaType

Sites can bypass security checks on permissions to install lightweight themes by manipulating the "baseURI" property of the theme element. This could allow a malicious site to install a theme without user interaction which could contain offensive or embarrassing images. This vulnerability affects Thunderbird < 52.8, Thunderbird ESR < 52.8, Firefox < 60, and Firefox ESR < 52.8

Reporter	Title	Published	Views	Family All 159
ALT Linux	Security fix for the ALT Linux 10 package firefox-esr version 60.0.1-alt1	5 Jun 201800:00	–	altlinux
ALT Linux	Security fix for the ALT Linux 10 package firefox-esr version 52.8.0-alt1	9 May 201800:00	–	altlinux
ALT Linux	Security fix for the ALT Linux 10 package thunderbird version 52.8.0-alt1	19 May 201800:00	–	altlinux
FreeBSD	mozilla -- multiple vulnerabilities	9 May 201800:00	–	freebsd
Tenable Nessus	Mozilla Firefox ESR < 52.8 Multiple Vulnerabilities	21 Aug 201800:00	–	nessus
Tenable Nessus	Amazon Linux 2 : thunderbird (ALAS-2018-1032)	12 Jun 201800:00	–	nessus
Tenable Nessus	CentOS 6 : firefox (CESA-2018:1414)	21 May 201800:00	–	nessus
Tenable Nessus	CentOS 7 : firefox (CESA-2018:1415)	31 May 201800:00	–	nessus
Tenable Nessus	CentOS 7 : thunderbird (CESA-2018:1725)	30 May 201800:00	–	nessus
Tenable Nessus	CentOS 6 : thunderbird (CESA-2018:1726)	30 May 201800:00	–	nessus

NVD

Vulners

Node

debian debian_linuxMatch7.0

debian debian_linuxMatch8.0

debian debian_linuxMatch9.0

Node

mozilla firefoxRange<52.8.0

mozilla firefoxRange<60.0

mozilla thunderbirdRange<52.8.0

mozilla thunderbird_esrRange<52.8.0

Node

canonical ubuntu_linuxMatch14.04lts

canonical ubuntu_linuxMatch16.04lts

canonical ubuntu_linuxMatch17.10

canonical ubuntu_linuxMatch18.04lts

Node

redhat enterprise_linux_desktopMatch6.0

redhat enterprise_linux_desktopMatch7.0

redhat enterprise_linux_serverMatch6.0

redhat enterprise_linux_serverMatch7.0

redhat enterprise_linux_server_ausMatch7.6

redhat enterprise_linux_server_eusMatch7.5

redhat enterprise_linux_server_eusMatch7.6

redhat enterprise_linux_server_tusMatch7.6

redhat enterprise_linux_workstationMatch6.0

redhat enterprise_linux_workstationMatch7.0

[
  {
    "product": "Thunderbird",
    "vendor": "Mozilla",
    "versions": [
      {
        "lessThan": "52.8",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  },
  {
    "product": "Thunderbird ESR",
    "vendor": "Mozilla",
    "versions": [
      {
        "lessThan": "52.8",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  },
  {
    "product": "Firefox",
    "vendor": "Mozilla",
    "versions": [
      {
        "lessThan": "60",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  },
  {
    "product": "Firefox ESR",
    "vendor": "Mozilla",
    "versions": [
      {
        "lessThan": "52.8",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

Source	Link
lists	www.lists.debian.org/debian-lts-announce/2018/05/msg00007.html
securityfocus	www.securityfocus.com/bid/104136
mozilla	www.mozilla.org/security/advisories/mfsa2018-11/
lists	www.lists.debian.org/debian-lts-announce/2018/05/msg00013.html
security	www.security.gentoo.org/glsa/201811-13
usn	www.usn.ubuntu.com/3660-1/
security	www.security.gentoo.org/glsa/201810-01
debian	www.debian.org/security/2018/dsa-4199
access	www.access.redhat.com/errata/RHSA-2018:1415
usn	www.usn.ubuntu.com/3645-1/

25 Nov 2025 17:50Current

6.6Medium risk

Vulners AI Score6.6

CVSS 25

CVSS 35.3

EPSS0.01032