CVE-2018-12368

 

Published at: - 18-10-2018 03:29

Last modified: - 22-11-2022 05:52

Total changes: - 5

Description

Windows 10 does not warn users before opening executable files with the SettingContent-ms extension even when they have been downloaded from the internet and have the "Mark of the Web." Without the warning, unsuspecting users unfamiliar with this new file type might run an unwanted executable. This also allows a WebExtension with the limited downloads.open permission to execute arbitrary code without user interaction on Windows 10 systems. *Note: this issue only affects Windows operating systems. Other operating systems are unaffected.*. This vulnerability affects Thunderbird < 60, Thunderbird < 52.9, Firefox ESR < 60.1, Firefox ESR < 52.9, and Firefox < 61.

Common Vulnerability Scoring System (CVSS)

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

 

Verification logic

 

Reference

• https://www.mozilla.org/security/advisories/mfsa2018-19/
• https://www.mozilla.org/security/advisories/mfsa2018-18/
• https://www.mozilla.org/security/advisories/mfsa2018-17/
• https://www.mozilla.org/security/advisories/mfsa2018-16/
• https://www.mozilla.org/security/advisories/mfsa2018-15/
• https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39
• https://bugzilla.mozilla.org/show_bug.cgi?id=1468217
• 1041193-Third Party Advisory, VDB Entry
• 104560-Third Party Advisory, VDB Entry
• GLSA-201810-01-Third Party Advisory

 

Keywords

NVD

 

CVE-2018-12368

 

CVE

 

Common vulnerabilities & exposures

 

CVSS

 

Common vulnerability scoring system

 

Security

 

Vulnerabilities

 

Exposures