CVE-2018-12364 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2018-12364

CVE-2018-12364

October 18, 2018

NPAPI plugins, such as Adobe Flash, can send non-simple cross-origin requests, bypassing CORS by making a same-origin POST that does a 307 redirect to the target site. This allows for a malicious site to engage in cross-site request forgery (CSRF) attacks. This vulnerability affects Thunderbird < 60, Thunderbird < 52.9, Firefox ESR < 60.1, Firefox ESR < 52.9, and Firefox < 61.

Related Resources (23)

https://www.mozilla.org/security/advisories/mfsa2018-15/

https://www.mozilla.org/security/advisories/mfsa2018-16/

https://usn.ubuntu.com/3705-1/

https://www.debian.org/security/2018/dsa-4244

https://people.canonical.com/~ubuntu-security/cve/CVE-2018-12364

https://lists.debian.org/debian-lts-announce/2018/06/msg00014.html

https://www.mozilla.org/security/advisories/mfsa2018-18/

https://access.redhat.com/security/cve/CVE-2018-12364

http://www.securityfocus.com/bid/104560

https://security.gentoo.org/glsa/201810-01

https://access.redhat.com/errata/RHSA-2018:2113

https://www.mozilla.org/security/advisories/mfsa2018-19/

https://access.redhat.com/errata/RHSA-2018:2251

http://www.securitytracker.com/id/1041193

https://access.redhat.com/errata/RHSA-2018:2112

https://www.debian.org/security/2018/dsa-4235

https://lists.debian.org/debian-lts-announce/2018/07/msg00013.html

https://bugzilla.mozilla.org/show_bug.cgi?id=1436241

https://security-tracker.debian.org/tracker/CVE-2018-12364

https://www.mozilla.org/security/advisories/mfsa2018-17/

https://access.redhat.com/errata/RHSA-2018:2252

https://security.gentoo.org/glsa/201811-13

https://usn.ubuntu.com/3714-1/

Do you need more information?

CVSS v4

Base Score:

8.7

Attack Vector

NETWORK

Attack Complexity

LOW

Attack Requirements

NONE

Privileges Required

NONE

User Interaction

PASSIVE

Vulnerable System Confidentiality

HIGH

Vulnerable System Integrity

HIGH

Vulnerable System Availability

HIGH

Subsequent System Confidentiality

NONE

Subsequent System Integrity

NONE

Subsequent System Availability

NONE

CVSS v3

Base Score:

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

CVSS v2

Base Score:

6.8

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

Weakness Type (CWE)

Cross-Site Request Forgery (CSRF)

EPSS

Base Score:

2.67