CVE-2018-12364
Vulnerability Summary
Timeline
Description
NPAPI plugins, such as Adobe Flash, can send non-simple cross-origin requests, bypassing CORS by making a same-origin POST that does a 307 redirect to the target site. This allows for a malicious site to engage in cross-site request forgery (CSRF) attacks. This vulnerability affects Thunderbird < 60, Thunderbird < 52.9, Firefox ESR < 60.1, Firefox ESR < 52.9, and Firefox < 61.
CVSS Metrics
- v3.0•HIGH•Score: 8.8CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- v2.0•MEDIUM•Score: 6.8AV:N/AC:M/Au:N/C:P/I:P/A:P
EPSS Trends
Current EPSS score: 2.54%• Percentile: 86%
Techniques & Countermeasures
- CWE-352•Cross-Site Request Forgery (CSRF)
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Affected Systems
- canonical•ubuntu_linux
14.04 | 16.04 | 17.10 | 18.04
- debian•debian_linux
8.0 | 9.0
- Unknown•Firefox
< 61.0 | ≥ 53.0, < 60.1.0 | ≥ unspecified, < 61
- mozilla•firefox_esr
< 52.9 | ≥ unspecified, < 60.1 | ≥ unspecified, < 52.9
- mozilla•thunderbird
< 52.9 | ≥ 52.9.1, < 60.0 | ≥ unspecified, < 60 | ≥ unspecified, < 52.9
- redhat•enterprise_linux_desktop
6.0 | 7.0
- redhat•enterprise_linux_server
6.0 | 7.0
- redhat•enterprise_linux_server_aus
7.6
- redhat•enterprise_linux_server_eus
7.5 | 7.6
- redhat•enterprise_linux_server_tus
7.6
- redhat•enterprise_linux_workstation
6.0 | 7.0
References (20)
- https://security.gentoo.org/glsa/201810-01
- https://www.mozilla.org/security/advisories/mfsa2018-15/
- https://access.redhat.com/errata/RHSA-2018:2112
- https://security.gentoo.org/glsa/201811-13
- https://www.debian.org/security/2018/dsa-4235
- https://www.mozilla.org/security/advisories/mfsa2018-18/
- https://access.redhat.com/errata/RHSA-2018:2113
- https://www.mozilla.org/security/advisories/mfsa2018-16/
- https://www.debian.org/security/2018/dsa-4244
- http://www.securityfocus.com/bid/104560
- http://www.securitytracker.com/id/1041193
- https://www.mozilla.org/security/advisories/mfsa2018-19/
- https://access.redhat.com/errata/RHSA-2018:2252
- https://bugzilla.mozilla.org/show_bug.cgi?id=1436241
- https://www.mozilla.org/security/advisories/mfsa2018-17/
- https://lists.debian.org/debian-lts-announce/2018/07/msg00013.html
- https://access.redhat.com/errata/RHSA-2018:2251
- https://usn.ubuntu.com/3705-1/
- https://usn.ubuntu.com/3714-1/
- https://lists.debian.org/debian-lts-announce/2018/06/msg00014.html