CVE-2018-5176 Information

Description

The JSON Viewer displays clickable hyperlinks for strings that are parseable as URLs including \javascript:\ links. If a JSON file contains malicious JavaScript script embedded as \javascript:\ links users may be tricked into clicking and running this code in the context of the JSON Viewer. This can allow for the theft of cookies and authorization tokens which are accessible to that context. This vulnerability affects Firefox 60.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Reference

http://www.securityfocus.com/bid/104139 http://www.securitytracker.com/id/1040896 https://bugzilla.mozilla.org/show_bug.cgi?id=1442840 https://usn.ubuntu.com/3645-1/ https://www.mozilla.org/security/advisories/mfsa2018-11/

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

REQUIRED

Confidentiality Impact

CHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

NONE

Base Severity

6.1