First published: Wed May 09 2018(Updated: )
If a text string that happens to be a filename in the operating system's native format is dragged and dropped onto the addressbar the specified local file will be opened. This is contrary to policy and is what would happen if the string were the equivalent "file:" URL. This vulnerability affects Firefox < 60.
Credit: security@mozilla.org security@mozilla.org
Affected Software | Affected Version | How to fix |
---|---|---|
Mozilla Firefox | <60 | 60 |
Canonical Ubuntu Linux | =14.04 | |
Canonical Ubuntu Linux | =16.04 | |
Canonical Ubuntu Linux | =17.10 | |
Canonical Ubuntu Linux | =18.04 | |
Mozilla Firefox | <60.0 | |
debian/firefox | 131.0.2-2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Found alongside the following vulnerabilities)
CVE-2018-5182 is a vulnerability in Mozilla Firefox where dragging and dropping a text string that happens to be a filename onto the address bar can open a specified local file, contrary to policy.
CVE-2018-5182 has a severity rating of high with a CVSS score of 7.5.
Mozilla Firefox versions up to but excluding 60.0 are affected by CVE-2018-5182.
To fix CVE-2018-5182, update Mozilla Firefox to version 60.0 or later.
The references for CVE-2018-5182 are: - [Mozilla Bugzilla](https://bugzilla.mozilla.org/show_bug.cgi?id=1435908) - [Mozilla Security Advisory](https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/) - [SecurityFocus](http://www.securityfocus.com/bid/104139)