1. Home
  2. Vulnerabilities
  3. CVE-2018-12368

CVE-2018-12368

CVSS v3.0 8.1 (High)
81% Progress
CVSS v2.0 9.3 (High)
93% Progress
EPSS 25.82 % (97th)
25.82% Progress
Affected Products 4
Advisories 11
Info CVSS EPSS Affected Configurations References Security Advisories Packages & Software OVAL Tools, Exploits & PoC Graph Web & Social Timeline

Windows 10 does not warn users before opening executable files with the SettingContent-ms extension even when they have been downloaded from the internet and have the "Mark of the Web." Without the warning, unsuspecting users unfamiliar with this new file type might run an unwanted executable. This also allows a WebExtension with the limited downloads.open permission to execute arbitrary code without user interaction on Windows 10 systems. Note: this issue only affects Windows operating systems. Other operating systems are unaffected.. This vulnerability affects Thunderbird < 60, Thunderbird < 52.9, Firefox ESR < 60.1, Firefox ESR < 52.9, and Firefox < 61.

Weaknesses
CWE-NVD-noinfo
CVE Status
PUBLISHED
CNA
Mozilla Corporation
Published Date
2018-10-18 13:29:03
(6 years ago)
Updated Date
2019-10-03 00:03:26
(5 years ago)

Affected Products

Microsoft

Mozilla

Configuration #1

AND
    CPE23 From Up To
OR  
  Mozilla Firefox prior 61.0 version cpe:2.3:a:mozilla:firefox < 61.0
OR  
  Running on/with
  Mozilla Firefox Esr prior 52.9 version cpe:2.3:a:mozilla:firefox_esr < 52.9
OR  
  Running on/with
  Mozilla Firefox Esr from 53.0 version and prior 60.1.0 version cpe:2.3:a:mozilla:firefox_esr >= 53.0 < 60.1.0
OR  
  Running on/with
  Mozilla Thunderbird prior 52.9 version cpe:2.3:a:mozilla:thunderbird < 52.9
OR  
  Running on/with
  Microsoft Windows 10 cpe:2.3:o:microsoft:windows_10