CVE-2018-12364

 

Published at: - 18-10-2018 03:29

Last modified: - 24-09-2022 03:03

Total changes: - 2

Description

NPAPI plugins, such as Adobe Flash, can send non-simple cross-origin requests, bypassing CORS by making a same-origin POST that does a 307 redirect to the target site. This allows for a malicious site to engage in cross-site request forgery (CSRF) attacks. This vulnerability affects Thunderbird < 60, Thunderbird < 52.9, Firefox ESR < 60.1, Firefox ESR < 52.9, and Firefox < 61.

Common Vulnerability Scoring System (CVSS)

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

 

Verification logic

 

Reference

• https://www.mozilla.org/security/advisories/mfsa2018-19/
• https://www.mozilla.org/security/advisories/mfsa2018-18/
• https://www.mozilla.org/security/advisories/mfsa2018-17/
• https://www.mozilla.org/security/advisories/mfsa2018-16/
• https://www.mozilla.org/security/advisories/mfsa2018-15/
• https://bugzilla.mozilla.org/show_bug.cgi?id=1436241
• DSA-4244-Third Party Advisory
• DSA-4235-Third Party Advisory
• USN-3714-1-Third Party Advisory
• USN-3705-1-Third Party Advisory
• [debian-lts-announce] 20180714 [SECURITY] [DLA 1425-1] thunderbird security update-Mailing List, Third Party Advisory
• [debian-lts-announce] 20180629 [SECURITY] [DLA 1406-1] firefox-esr security update-Mailing List, Third Party Advisory
• RHSA-2018:2252-Third Party Advisory
• RHSA-2018:2251-Third Party Advisory
• RHSA-2018:2113-Third Party Advisory
• RHSA-2018:2112-Third Party Advisory
• 1041193-Third Party Advisory, VDB Entry
• 104560-Third Party Advisory, VDB Entry
• GLSA-201810-01-Third Party Advisory
• GLSA-201811-13-Third Party Advisory

 

Keywords

NVD

 

CVE-2018-12364

 

CVE

 

Common vulnerabilities & exposures

 

CVSS

 

Common vulnerability scoring system

 

Security

 

Vulnerabilities

 

Exposures