8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.33 Low
EPSS
Percentile
97.0%
Windows 10 does not warn users before opening executable files with the
SettingContent-ms extension even when they have been downloaded from the
internet and have the “Mark of the Web.” Without the warning, unsuspecting
users unfamiliar with this new file type might run an unwanted executable.
This also allows a WebExtension with the limited downloads.open permission
to execute arbitrary code without user interaction on Windows 10 systems.
Note: this issue only affects Windows operating systems. Other operating
systems are unaffected.. This vulnerability affects Thunderbird < 60,
Thunderbird < 52.9, Firefox ESR < 60.1, Firefox ESR < 52.9, and Firefox <
61.
Author | Note |
---|---|
tyhicks | mozjs contains a copy of the SpiderMonkey JavaScript engine |
launchpad.net/bugs/cve/CVE-2018-12368
nvd.nist.gov/vuln/detail/CVE-2018-12368
security-tracker.debian.org/tracker/CVE-2018-12368
www.cve.org/CVERecord?id=CVE-2018-12368
www.mozilla.org/en-US/security/advisories/mfsa2018-15/#CVE-2018-12368
www.mozilla.org/en-US/security/advisories/mfsa2018-17/#CVE-2018-12368
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.33 Low
EPSS
Percentile
97.0%