Main Vulnerability Database Vulnerabilities #VU17264

#VU17264 Information disclosure in Mozilla Firefox - CVE-2018-18506

Published: January 29, 2019

Vulnerability identifier: #VU17264

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2018-18506

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Mozilla Firefox

Software vendor:
Mozilla

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to an error in proxy support implementation. When proxy auto-detection is enabled, if a web server serves a Proxy Auto-Configuration (PAC) file or if a PAC file is loaded locally, this PAC file can specify that requests to the localhost are to be sent through the proxy to another server. This behavior is disallowed by default when a proxy is manually configured, but when enabled could allow for attacks on services and tools that bind to the localhost for networked behavior if they are accessed through browsing.

A remote attacker can trick the victim to visit a specially crafted website and gain unauthorized access to services or resources, exposed on user's system.

Remediation

Install updates from vendor's website.

External links

https://www.mozilla.org/en-US/security/advisories/mfsa2019-01/

#VU17264 Information disclosure in Mozilla Firefox - CVE-2018-18506

Description

Remediation

External links

Please verify you're human