gsd-2018-5173
Vulnerability from gsd
Modified
2023-12-13 01:22
Details
The filename appearing in the "Downloads" panel improperly renders some Unicode characters, allowing for the file name to be spoofed. This can be used to obscure the file extension of potentially executable files from user view in the panel. Note: the dialog to open the file will show the full, correct filename and whether it is executable or not. This vulnerability affects Firefox < 60.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2018-5173",
"description": "The filename appearing in the \"Downloads\" panel improperly renders some Unicode characters, allowing for the file name to be spoofed. This can be used to obscure the file extension of potentially executable files from user view in the panel. Note: the dialog to open the file will show the full, correct filename and whether it is executable or not. This vulnerability affects Firefox \u003c 60.",
"id": "GSD-2018-5173",
"references": [
"https://www.suse.com/security/cve/CVE-2018-5173.html",
"https://ubuntu.com/security/CVE-2018-5173",
"https://security.archlinux.org/CVE-2018-5173"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2018-5173"
],
"details": "The filename appearing in the \"Downloads\" panel improperly renders some Unicode characters, allowing for the file name to be spoofed. This can be used to obscure the file extension of potentially executable files from user view in the panel. Note: the dialog to open the file will show the full, correct filename and whether it is executable or not. This vulnerability affects Firefox \u003c 60.",
"id": "GSD-2018-5173",
"modified": "2023-12-13T01:22:40.536188Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security@mozilla.org",
"ID": "CVE-2018-5173",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Firefox",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "60"
}
]
}
}
]
},
"vendor_name": "Mozilla"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The filename appearing in the \"Downloads\" panel improperly renders some Unicode characters, allowing for the file name to be spoofed. This can be used to obscure the file extension of potentially executable files from user view in the panel. Note: the dialog to open the file will show the full, correct filename and whether it is executable or not. This vulnerability affects Firefox \u003c 60."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "File name spoofing of Downloads panel with Unicode characters"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.mozilla.org/security/advisories/mfsa2018-11/",
"refsource": "CONFIRM",
"url": "https://www.mozilla.org/security/advisories/mfsa2018-11/"
},
{
"name": "1040896",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1040896"
},
{
"name": "USN-3645-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/3645-1/"
},
{
"name": "104139",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/104139"
},
{
"name": "https://bugzilla.mozilla.org/show_bug.cgi?id=1438025",
"refsource": "CONFIRM",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1438025"
}
]
}
},
"mozilla.org": {
"CVE_data_meta": {
"ASSIGNER": "security@mozilla.org",
"ID": "CVE-2018-5173"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Firefox",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "60"
}
]
}
}
]
},
"vendor_name": "Mozilla"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The filename appearing in the \u003ccode\u003eDownloads\u003c/code\u003e panel improperly renders some Unicode characters, allowing for the file name to be spoofed. This can be used to obscure the file extension of potentially executable files from user view in the panel. \u003cbr\u003e*Note: the dialog to open the file will show the full, correct filename and whether it is executable or not.*. This vulnerability affects Firefox \u003c 60."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "File name spoofing of Downloads panel with Unicode characters"
}
]
}
]
},
"references": {
"reference_data": [
{
"url": "https://www.mozilla.org/security/advisories/mfsa2018-11/"
},
{
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1438025"
}
]
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "60.0",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "security@mozilla.org",
"ID": "CVE-2018-5173"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "The filename appearing in the \"Downloads\" panel improperly renders some Unicode characters, allowing for the file name to be spoofed. This can be used to obscure the file extension of potentially executable files from user view in the panel. Note: the dialog to open the file will show the full, correct filename and whether it is executable or not. This vulnerability affects Firefox \u003c 60."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.mozilla.org/security/advisories/mfsa2018-11/",
"refsource": "CONFIRM",
"tags": [
"Vendor Advisory"
],
"url": "https://www.mozilla.org/security/advisories/mfsa2018-11/"
},
{
"name": "https://bugzilla.mozilla.org/show_bug.cgi?id=1438025",
"refsource": "CONFIRM",
"tags": [
"Issue Tracking",
"Vendor Advisory",
"Permissions Required"
],
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1438025"
},
{
"name": "USN-3645-1",
"refsource": "UBUNTU",
"tags": [
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/3645-1/"
},
{
"name": "1040896",
"refsource": "SECTRACK",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securitytracker.com/id/1040896"
},
{
"name": "104139",
"refsource": "BID",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/104139"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4
}
},
"lastModifiedDate": "2018-08-03T14:43Z",
"publishedDate": "2018-06-11T21:29Z"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.