The JSON Viewer displays clickable hyperlinks for strings that are parseable as URLs, including "javascript:" links. If a JSON file contains malicious JavaScript script embedded as "javascript:" links, users may be tricked into clicking and running this code in the context of the JSON Viewer. This can allow for the theft of cookies and authorization tokens which are accessible to that context. This vulnerability affects Firefox < 60.
References
Link | Resource |
---|---|
http://www.securityfocus.com/bid/104139 | Third Party Advisory VDB Entry |
http://www.securitytracker.com/id/1040896 | Third Party Advisory VDB Entry |
https://bugzilla.mozilla.org/show_bug.cgi?id=1442840 | Issue Tracking Permissions Required Vendor Advisory |
https://usn.ubuntu.com/3645-1/ | Third Party Advisory |
https://www.mozilla.org/security/advisories/mfsa2018-11/ | Vendor Advisory |
http://www.securityfocus.com/bid/104139 | Third Party Advisory VDB Entry |
http://www.securitytracker.com/id/1040896 | Third Party Advisory VDB Entry |
https://bugzilla.mozilla.org/show_bug.cgi?id=1442840 | Issue Tracking Permissions Required Vendor Advisory |
https://usn.ubuntu.com/3645-1/ | Third Party Advisory |
https://www.mozilla.org/security/advisories/mfsa2018-11/ | Vendor Advisory |
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
History
21 Nov 2024, 04:08
Type | Values Removed | Values Added |
---|---|---|
References | () http://www.securityfocus.com/bid/104139 - Third Party Advisory, VDB Entry | |
References | () http://www.securitytracker.com/id/1040896 - Third Party Advisory, VDB Entry | |
References | () https://bugzilla.mozilla.org/show_bug.cgi?id=1442840 - Issue Tracking, Permissions Required, Vendor Advisory | |
References | () https://usn.ubuntu.com/3645-1/ - Third Party Advisory | |
References | () https://www.mozilla.org/security/advisories/mfsa2018-11/ - Vendor Advisory |
Information
Published : 2018-06-11 21:29
Updated : 2024-11-21 04:08
NVD link : CVE-2018-5176
Mitre link : CVE-2018-5176
CVE.ORG link : CVE-2018-5176
JSON object : View
Products Affected
mozilla
- firefox
canonical
- ubuntu_linux
CWE
CWE-20
Improper Input Validation