CVE-2018-12368

2018-10-1813:29:00

Debian Security Bug Tracker

security-tracker.debian.org

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.33 Low

EPSS

Percentile

97.0%

JSON

Windows 10 does not warn users before opening executable files with the SettingContent-ms extension even when they have been downloaded from the internet and have the “Mark of the Web.” Without the warning, unsuspecting users unfamiliar with this new file type might run an unwanted executable. This also allows a WebExtension with the limited downloads.open permission to execute arbitrary code without user interaction on Windows 10 systems. Note: this issue only affects Windows operating systems. Other operating systems are unaffected.. This vulnerability affects Thunderbird < 60, Thunderbird < 52.9, Firefox ESR < 60.1, Firefox ESR < 52.9, and Firefox < 61.

OSVersionArchitecturePackageVersionFilename
Debian999allfirefox< 125.0.2-1firefox_125.0.2-1_all.deb
Debian12allfirefox-esr< 115.7.0esr-1~deb12u1firefox-esr_115.7.0esr-1~deb12u1_all.deb
Debian11allfirefox-esr< 115.7.0esr-1~deb11u1firefox-esr_115.7.0esr-1~deb11u1_all.deb
Debian10allfirefox-esr< 91.12.0esr-1~deb10u1firefox-esr_91.12.0esr-1~deb10u1_all.deb
Debian999allfirefox-esr< 115.10.0esr-1firefox-esr_115.10.0esr-1_all.deb
Debian13allfirefox-esr< 115.8.0esr-1firefox-esr_115.8.0esr-1_all.deb
Debian12allthunderbird< 1:115.7.0-1~deb12u1thunderbird_1:115.7.0-1~deb12u1_all.deb
Debian11allthunderbird< 1:115.7.0-1~deb11u1thunderbird_1:115.7.0-1~deb11u1_all.deb
Debian10allthunderbird< 1:91.12.0-1~deb10u1thunderbird_1:91.12.0-1~deb10u1_all.deb
Debian999allthunderbird< 1:115.10.1-1thunderbird_1:115.10.1-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	999	all	firefox	< 125.0.2-1	firefox_125.0.2-1_all.deb
Debian	12	all	firefox-esr	< 115.7.0esr-1~deb12u1	firefox-esr_115.7.0esr-1~deb12u1_all.deb
Debian	11	all	firefox-esr	< 115.7.0esr-1~deb11u1	firefox-esr_115.7.0esr-1~deb11u1_all.deb
Debian	10	all	firefox-esr	< 91.12.0esr-1~deb10u1	firefox-esr_91.12.0esr-1~deb10u1_all.deb
Debian	999	all	firefox-esr	< 115.10.0esr-1	firefox-esr_115.10.0esr-1_all.deb
Debian	13	all	firefox-esr	< 115.8.0esr-1	firefox-esr_115.8.0esr-1_all.deb
Debian	12	all	thunderbird	< 1:115.7.0-1~deb12u1	thunderbird_1:115.7.0-1~deb12u1_all.deb
Debian	11	all	thunderbird	< 1:115.7.0-1~deb11u1	thunderbird_1:115.7.0-1~deb11u1_all.deb
Debian	10	all	thunderbird	< 1:91.12.0-1~deb10u1	thunderbird_1:91.12.0-1~deb10u1_all.deb
Debian	999	all	thunderbird	< 1:115.10.1-1	thunderbird_1:115.10.1-1_all.deb