CVE-2018-5174

HIGH
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

In the Windows 10 April 2018 Update, Windows Defender SmartScreen honors the "SEE_MASK_FLAG_NO_UI" flag associated with downloaded files and will not show any UI. Files that are unknown and potentially dangerous will be allowed to run because SmartScreen will not prompt the user for a decision, and if the user is offline all files will be allowed to be opened because Windows won't prompt the user to ask what to do. Firefox incorrectly sets this flag when downloading files, leading to less secure behavior from SmartScreen. Note: this issue only affects Windows 10 users running the April 2018 update or later. It does not affect other Windows users or other operating systems. This vulnerability affects Thunderbird < 52.8, Thunderbird ESR < 52.8, Firefox < 60, and Firefox ESR < 52.8.

References

http://www.securityfocus.com/bid/104136

http://www.securitytracker.com/id/1040896

https://bugzilla.mozilla.org/show_bug.cgi?id=1447080

https://www.mozilla.org/security/advisories/mfsa2018-11/

https://www.mozilla.org/security/advisories/mfsa2018-12/

https://www.mozilla.org/security/advisories/mfsa2018-13/

Details

Source: MITRE

Published: 2018-06-11

Updated: 2019-10-03

Risk Information

CVSS v2

Base Score: 5

Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N

Impact Score: 2.9

Exploitability Score: 10

Severity: MEDIUM

CVSS v3

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Impact Score: 3.6

Exploitability Score: 3.9

Severity: HIGH

Tenable Plugins

View all (13 total)

IDNameProductFamilySeverity
130450SUSE SLED12 / SLES12 Security Update : MozillaFirefox (SUSE-SU-2019:2872-1)NessusSuSE Local Security Checks
critical
123171openSUSE Security Update : Mozilla Thunderbird (openSUSE-2019-364)NessusSuSE Local Security Checks
critical
118254SUSE SLES12 Security Update : MozillaFirefox (SUSE-SU-2018:1334-2)NessusSuSE Local Security Checks
critical
700337Mozilla Firefox ESR < 52.8 Multiple VulnerabilitiesNessus Network MonitorWeb Clients
high
109946Mozilla Thunderbird < 52.8 Multiple Vulnerabilities (EFAIL)NessusWindows
critical
109939SUSE SLED12 / SLES12 Security Update : MozillaFirefox (SUSE-SU-2018:1334-1)NessusSuSE Local Security Checks
critical
109935openSUSE Security Update : Mozilla Thunderbird (openSUSE-2018-486)NessusSuSE Local Security Checks
critical
109887SUSE SLES11 Security Update : MozillaFirefox (SUSE-SU-2018:1319-1)NessusSuSE Local Security Checks
critical
109869Mozilla Firefox < 60 Multiple Critical VulnerabilitiesNessusWindows
critical
109868Mozilla Firefox ESR < 52.8 Multiple Critical VulnerabilitiesNessusWindows
critical
109867Mozilla Firefox < 60 Multiple Critical Vulnerabilities (macOS)NessusMacOS X Local Security Checks
critical
109866Mozilla Firefox ESR < 52.8 Multiple Critical Vulnerabilities (macOS)NessusMacOS X Local Security Checks
critical
109661FreeBSD : mozilla -- multiple vulnerabilities (5aefc41e-d304-4ec8-8c82-824f84f08244)NessusFreeBSD Local Security Checks
critical