CVE-2018-12364

high
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

NPAPI plugins, such as Adobe Flash, can send non-simple cross-origin requests, bypassing CORS by making a same-origin POST that does a 307 redirect to the target site. This allows for a malicious site to engage in cross-site request forgery (CSRF) attacks. This vulnerability affects Thunderbird < 60, Thunderbird < 52.9, Firefox ESR < 60.1, Firefox ESR < 52.9, and Firefox < 61.

References

http://www.securityfocus.com/bid/104560

http://www.securitytracker.com/id/1041193

https://access.redhat.com/errata/RHSA-2018:2112

https://access.redhat.com/errata/RHSA-2018:2113

https://access.redhat.com/errata/RHSA-2018:2251

https://access.redhat.com/errata/RHSA-2018:2252

https://bugzilla.mozilla.org/show_bug.cgi?id=1436241

https://lists.debian.org/debian-lts-announce/2018/06/msg00014.html

https://lists.debian.org/debian-lts-announce/2018/07/msg00013.html

https://security.gentoo.org/glsa/201810-01

https://security.gentoo.org/glsa/201811-13

https://usn.ubuntu.com/3705-1/

https://usn.ubuntu.com/3714-1/

https://www.debian.org/security/2018/dsa-4235

https://www.debian.org/security/2018/dsa-4244

https://www.mozilla.org/security/advisories/mfsa2018-15/

https://www.mozilla.org/security/advisories/mfsa2018-16/

https://www.mozilla.org/security/advisories/mfsa2018-17/

https://www.mozilla.org/security/advisories/mfsa2018-18/

https://www.mozilla.org/security/advisories/mfsa2018-19/

Details

Source: MITRE

Published: 2018-10-18

Updated: 2018-12-03

Type: CWE-352

Risk Information

CVSS v2

Base Score: 6.8

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Impact Score: 6.4

Exploitability Score: 8.6

Severity: MEDIUM

CVSS v3

Base Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Impact Score: 5.9

Exploitability Score: 2.8

Severity: HIGH

Vulnerable Software

Configuration 1

OR

cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server_eus:7.5:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*

Configuration 2

OR

cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Configuration 3

OR

cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*

Configuration 4

OR

cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*

Tenable Plugins

View all (57 total)

IDNameProductFamilySeverity
127413NewStart CGSL MAIN 4.05 : thunderbird Multiple Vulnerabilities (NS-SA-2019-0145)NessusNewStart CGSL Local Security Checks
critical
127404NewStart CGSL MAIN 4.05 : firefox Multiple Vulnerabilities (NS-SA-2019-0141)NessusNewStart CGSL Local Security Checks
critical
127208NewStart CGSL CORE 5.04 / MAIN 5.04 : thunderbird Multiple Vulnerabilities (NS-SA-2019-0037)NessusNewStart CGSL Local Security Checks
critical
127198NewStart CGSL CORE 5.04 / MAIN 5.04 : firefox Multiple Vulnerabilities (NS-SA-2019-0032)NessusNewStart CGSL Local Security Checks
critical
123293openSUSE Security Update : MozillaThunderbird (openSUSE-2019-680)NessusSuSE Local Security Checks
critical
123288openSUSE Security Update : MozillaThunderbird (openSUSE-2019-664)NessusSuSE Local Security Checks
critical
123263openSUSE Security Update : seamonkey (openSUSE-2019-602)NessusSuSE Local Security Checks
critical
123208openSUSE Security Update : Mozilla Thunderbird (openSUSE-2019-503)NessusSuSE Local Security Checks
critical
123203openSUSE Security Update : MozillaFirefox (openSUSE-2019-494)NessusSuSE Local Security Checks
critical
120074SUSE SLED15 / SLES15 Security Update : MozillaFirefox (SUSE-SU-2018:2298-1)NessusSuSE Local Security Checks
high
119133GLSA-201811-13 : Mozilla Thunderbird: Multiple vulnerabilitiesNessusGentoo Local Security Checks
high
118279SUSE SLES12 Security Update : MozillaFirefox (SUSE-SU-2018:2322-2)NessusSuSE Local Security Checks
critical
117987openSUSE Security Update : MozillaThunderbird (openSUSE-2018-1139)NessusSuSE Local Security Checks
critical
117894GLSA-201810-01 : Mozilla Firefox: Multiple vulnerabilitiesNessusGentoo Local Security Checks
critical
117383openSUSE Security Update : MozillaThunderbird (openSUSE-2018-994)NessusSuSE Local Security Checks
critical
112086Amazon Linux 2 : thunderbird (ALAS-2018-1061)NessusAmazon Linux Local Security Checks
critical
700341Mozilla Firefox ESR < 60.1 Multiple VulnerabilitiesNessus Network MonitorWeb Clients
high
700339Mozilla Firefox ESR < 52.9 Multiple VulnerabilitiesNessus Network MonitorWeb Clients
high
700330Mozilla Firefox < 61 Multiple VulnerabilitiesNessus Network MonitorWeb Clients
high
111981Mozilla Thunderbird < 60.0 Multiple VulnerabilitiesNessusWindows
high
111980Mozilla Thunderbird < 60.0 Multiple Vulnerabilities (macOS)NessusMacOS X Local Security Checks
high
111780openSUSE Security Update : seamonkey (openSUSE-2018-867)NessusSuSE Local Security Checks
critical
111745SUSE SLES11 Security Update : MozillaFirefox (SUSE-SU-2018:2325-1)NessusSuSE Local Security Checks
critical
111743SUSE SLED12 / SLES12 Security Update : MozillaFirefox (SUSE-SU-2018:2322-1)NessusSuSE Local Security Checks
critical
111356CentOS 6 : thunderbird (CESA-2018:2251)NessusCentOS Local Security Checks
critical
111344Scientific Linux Security Update : thunderbird on SL7.x x86_64 (20180725)NessusScientific Linux Local Security Checks
critical
111343Scientific Linux Security Update : thunderbird on SL6.x i386/x86_64 (20180725)NessusScientific Linux Local Security Checks
critical
111341CentOS 7 : thunderbird (CESA-2018:2252)NessusCentOS Local Security Checks
critical
111323RHEL 7 : thunderbird (RHSA-2018:2252)NessusRed Hat Local Security Checks
critical
111322RHEL 6 : thunderbird (RHSA-2018:2251)NessusRed Hat Local Security Checks
critical
111320Oracle Linux 7 : thunderbird (ELSA-2018-2252)NessusOracle Linux Local Security Checks
critical
111319Oracle Linux 6 : thunderbird (ELSA-2018-2251)NessusOracle Linux Local Security Checks
critical
111087Debian DSA-4244-1 : thunderbird - security updateNessusDebian Local Security Checks
critical
111083Debian DLA-1425-1 : thunderbird security updateNessusDebian Local Security Checks
critical
111074CentOS 6 : firefox (CESA-2018:2112)NessusCentOS Local Security Checks
critical
111060Ubuntu 14.04 LTS / 16.04 LTS / 17.10 / 18.04 LTS : Thunderbird vulnerabilities (USN-3714-1)NessusUbuntu Local Security Checks
critical
111044Mozilla Thunderbird < 52.9 Multiple VulnerabilitiesNessusWindows
high
111043Mozilla Thunderbird < 52.9 Multiple Vulnerabilities (macOS)NessusMacOS X Local Security Checks
high
111013CentOS 7 : firefox (CESA-2018:2113)NessusCentOS Local Security Checks
critical
111005Ubuntu 14.04 LTS / 16.04 LTS / 17.10 / 18.04 LTS : Firefox regressions (USN-3705-2)NessusUbuntu Local Security Checks
critical
110971Scientific Linux Security Update : firefox on SL6.x i386/x86_64 (20180628)NessusScientific Linux Local Security Checks
critical
110959openSUSE Security Update : Mozilla Thunderbird (openSUSE-2018-701)NessusSuSE Local Security Checks
critical
110942Ubuntu 14.04 LTS / 16.04 LTS / 17.10 / 18.04 LTS : firefox vulnerabilities (USN-3705-1)NessusUbuntu Local Security Checks
critical
110935Scientific Linux Security Update : firefox on SL7.x x86_64 (20180628)NessusScientific Linux Local Security Checks
critical
110917Oracle Linux 7 : firefox (ELSA-2018-2113)NessusOracle Linux Local Security Checks
critical
110815Debian DLA-1406-1 : firefox-esr security updateNessusDebian Local Security Checks
critical
110811Mozilla Firefox < 61 Multiple Critical VulnerabilitiesNessusWindows
high
110810Mozilla Firefox ESR < 60.1 Multiple Critical VulnerabilitiesNessusWindows
high
110809Mozilla Firefox ESR < 52.9 Multiple Critical VulnerabilitiesNessusWindows
high
110808Mozilla Firefox ESR < 60.1 Multiple Vulnerabilities (macOS)NessusMacOS X Local Security Checks
high
110807Mozilla Firefox ESR < 52.9 Multiple Vulnerabilities (macOS)NessusMacOS X Local Security Checks
high
110806Mozilla Firefox < 61 Multiple Critical Vulnerabilities (macOS)NessusMacOS X Local Security Checks
high
110801openSUSE Security Update : MozillaFirefox (openSUSE-2018-676)NessusSuSE Local Security Checks
critical
110800RHEL 7 : firefox (RHSA-2018:2113)NessusRed Hat Local Security Checks
critical
110799RHEL 6 : firefox (RHSA-2018:2112)NessusRed Hat Local Security Checks
critical
110729Debian DSA-4235-1 : firefox-esr - security updateNessusDebian Local Security Checks
critical
110700FreeBSD : mozilla -- multiple vulnerabilities (cd81806c-26e7-4d4a-8425-02724a2f48af)NessusFreeBSD Local Security Checks
critical