CVE-2018-12368

EUVD-2018-4342
Windows 10 does not warn users before opening executable files with the SettingContent-ms extension even when they have been downloaded from the internet and have the "Mark of the Web." Without the warning, unsuspecting users unfamiliar with this new file type might run an unwanted executable. This also allows a WebExtension with the limited downloads.open permission to execute arbitrary code without user interaction on Windows 10 systems. *Note: this issue only affects Windows operating systems. Other operating systems are unaffected.*. This vulnerability affects Thunderbird < 60, Thunderbird < 52.9, Firefox ESR < 60.1, Firefox ESR < 52.9, and Firefox < 61.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.1 HIGH
NETWORK
HIGH
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 83%
Affected Products (NVD)
VendorProductVersion
mozillafirefox
𝑥
< 61.0
mozillafirefox
53.0 ≤
𝑥
< 60.1.0
mozillafirefox_esr
𝑥
< 52.9
mozillathunderbird
𝑥
< 52.9
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
firefox
sid
132.0.1-1
fixed
firefox-esr
bookworm
115.14.0esr-1~deb12u1
fixed
bookworm (security)
128.4.0esr-1~deb12u1
fixed
bullseye
115.14.0esr-1~deb11u1
fixed
bullseye (security)
128.4.0esr-1~deb11u1
fixed
sid
128.4.0esr-1
fixed
trixie
128.3.1esr-2
fixed
thunderbird
bookworm
1:115.12.0-1~deb12u1
fixed
bookworm (security)
1:128.4.0esr-1~deb12u1
fixed
bullseye
1:115.12.0-1~deb11u1
fixed
bullseye (security)
1:128.4.0esr-1~deb11u1
fixed
sid
1:128.4.0esr-1
fixed
trixie
1:128.4.0esr-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
firefox
artful
not-affected
bionic
not-affected
trusty
dne
xenial
not-affected
mozjs38
artful
not-affected
bionic
not-affected
trusty
dne
xenial
dne
mozjs52
artful
not-affected
bionic
not-affected
trusty
dne
xenial
dne
thunderbird
artful
not-affected
bionic
not-affected
trusty
dne
xenial
not-affected
References
http://www.securityfocus.com/bid/104560
http://www.securitytracker.com/id/1041193
https://bugzilla.mozilla.org/show_bug.cgi?id=1468217
https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39
https://security.gentoo.org/glsa/201810-01
https://www.mozilla.org/security/advisories/mfsa2018-15/
https://www.mozilla.org/security/advisories/mfsa2018-16/
https://www.mozilla.org/security/advisories/mfsa2018-17/
https://www.mozilla.org/security/advisories/mfsa2018-18/
https://www.mozilla.org/security/advisories/mfsa2018-19/
http://www.securityfocus.com/bid/104560
http://www.securitytracker.com/id/1041193
https://bugzilla.mozilla.org/show_bug.cgi?id=1468217
https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39
https://security.gentoo.org/glsa/201810-01
https://www.mozilla.org/security/advisories/mfsa2018-15/
https://www.mozilla.org/security/advisories/mfsa2018-16/
https://www.mozilla.org/security/advisories/mfsa2018-17/
https://www.mozilla.org/security/advisories/mfsa2018-18/
https://www.mozilla.org/security/advisories/mfsa2018-19/