CVE-2018-5168
Publication date 10 May 2018
Last updated 25 August 2025
Ubuntu priority
Description
Sites can bypass security checks on permissions to install lightweight themes by manipulating the "baseURI" property of the theme element. This could allow a malicious site to install a theme without user interaction which could contain offensive or embarrassing images. This vulnerability affects Thunderbird < 52.8, Thunderbird ESR < 52.8, Firefox < 60, and Firefox ESR < 52.8.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| firefox | 18.04 LTS bionic |
Fixed 60.0+build2-0ubuntu1
|
| 16.04 LTS xenial |
Fixed 60.0+build2-0ubuntu0.16.04.1
|
|
| 14.04 LTS trusty |
Fixed 60.0+build2-0ubuntu0.14.04.1
|
|
| thunderbird | 18.04 LTS bionic |
Fixed 1:52.8.0+build1-0ubuntu0.18.04.1
|
| 16.04 LTS xenial |
Fixed 1:52.8.0+build1-0ubuntu0.16.04.1
|
|
| 14.04 LTS trusty |
Fixed 1:52.8.0+build1-0ubuntu0.14.04.1
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
5.3 · Medium
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | Low |
| Availability impact | None |
| Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
References
Related Ubuntu Security Notices (USN)
- USN-3645-1
- Firefox vulnerabilities
- 11 May 2018
- USN-3660-1
- Thunderbird vulnerabilities
- 25 May 2018