Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2018-12402

Date: February 28, 2019

The internal WebBrowserPersist code does not use correct origin context for a resource being saved. This manifests when sub-resources are loaded as part of "Save Page As..." functionality. For example, a malicious page could recover a visitor's Windows username and NTLM hash by including resources otherwise unreachable to the malicious page, if they can convince the visitor to save the complete web page. Similarly, SameSite cookies are sent on cross-origin requests when the "Save Page As..." menu item is selected to save a page, which can result in saving the wrong version of resources based on those cookies. This vulnerability affects Firefox < 63.

Language: Unix

Severity Score

Related Resources (9)

https://www.mozilla.org/security/advisories/mfsa2018-26/
https://usn.ubuntu.com/3801-1/
http://www.securityfocus.com/bid/105721
https://bugzilla.mozilla.org/show_bug.cgi?id=1447087
https://bugzilla.mozilla.org/show_bug.cgi?id=1469916
https://access.redhat.com/security/cve/CVE-2018-12402
http://www.securitytracker.com/id/1041944
https://nvd.nist.gov/vuln/detail/CVE-2018-12402
https://www.mend.io/vulnerability-database/CVE-2018-12402

Severity Score

Weakness Type (CWE)

Improper Access Control

CWE-284

Origin Validation Error

CWE-346

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality (C): HIGH
Integrity (I): NONE
Availability (A): NONE

CVSS v2

Base Score:
Access Vector (AV): NETWORK
Access Complexity (AC): MEDIUM
Authentication (AU): NONE
Confidentiality (C): PARTIAL
Integrity (I): NONE
Availability (A): NONE
Additional information:

Do you need more information?

Contact Us