{"api_version":"1","generated_at":"2026-04-23T06:07:54+00:00","cve":"CVE-2018-12368","urls":{"html":"https://cve.report/CVE-2018-12368","api":"https://cve.report/api/cve/CVE-2018-12368.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2018-12368","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2018-12368"},"summary":{"title":"CVE-2018-12368","description":"Windows 10 does not warn users before opening executable files with the SettingContent-ms extension even when they have been downloaded from the internet and have the \"Mark of the Web.\" Without the warning, unsuspecting users unfamiliar with this new file type might run an unwanted executable. This also allows a WebExtension with the limited downloads.open permission to execute arbitrary code without user interaction on Windows 10 systems. *Note: this issue only affects Windows operating systems. Other operating systems are unaffected.*. This vulnerability affects Thunderbird < 60, Thunderbird < 52.9, Firefox ESR < 60.1, Firefox ESR < 52.9, and Firefox < 61.","state":"PUBLIC","assigner":"security@mozilla.org","published_at":"2018-10-18 13:29:00","updated_at":"2019-10-03 00:03:00"},"problem_types":["NVD-CWE-noinfo"],"metrics":[],"references":[{"url":"http://www.securityfocus.com/bid/104560","name":"104560","refsource":"BID","tags":["Third Party Advisory","VDB Entry"],"title":"Mozilla Firefox and Firefox ESR Multiple Security Vulnerabilities","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://www.mozilla.org/security/advisories/mfsa2018-16/","name":"https://www.mozilla.org/security/advisories/mfsa2018-16/","refsource":"CONFIRM","tags":["Vendor Advisory"],"title":"Security vulnerabilities fixed in Firefox ESR 60.1 — Mozilla","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39","name":"https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39","refsource":"MISC","tags":["Exploit","Third Party Advisory"],"title":"The Tale of SettingContent-ms Files – Posts By SpecterOps Team Members","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.mozilla.org/security/advisories/mfsa2018-18/","name":"https://www.mozilla.org/security/advisories/mfsa2018-18/","refsource":"CONFIRM","tags":["Vendor Advisory"],"title":"Security vulnerabilities fixed in Thunderbird 52.9 — Mozilla","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.mozilla.org/security/advisories/mfsa2018-15/","name":"https://www.mozilla.org/security/advisories/mfsa2018-15/","refsource":"CONFIRM","tags":["Vendor Advisory"],"title":"Security vulnerabilities fixed in Firefox 61 — Mozilla","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securitytracker.com/id/1041193","name":"1041193","refsource":"SECTRACK","tags":["Third Party Advisory","VDB Entry"],"title":"Mozilla Firefox Multiple Bugs Let Remote Users Conduct Cross-Site Request Forgery Attacks, Bypass Security Restrictions, Obtain Potentially Sensitive Information, and Execute Arbitrary Code - SecurityTracker","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://bugzilla.mozilla.org/show_bug.cgi?id=1468217","name":"https://bugzilla.mozilla.org/show_bug.cgi?id=1468217","refsource":"CONFIRM","tags":["Issue Tracking","Permissions Required","Vendor Advisory"],"title":"1468217 - (CVE-2018-12368) .SettingContent-ms file extension bypasses 'dangerous file' prompt leading to WebExt RCE","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.mozilla.org/security/advisories/mfsa2018-17/","name":"https://www.mozilla.org/security/advisories/mfsa2018-17/","refsource":"CONFIRM","tags":["Vendor Advisory"],"title":"Security vulnerabilities fixed in Firefox ESR 52.9 — Mozilla","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://security.gentoo.org/glsa/201810-01","name":"GLSA-201810-01","refsource":"GENTOO","tags":["Third Party Advisory"],"title":"Mozilla Firefox: Multiple vulnerabilities (GLSA 201810-01) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.mozilla.org/security/advisories/mfsa2018-19/","name":"https://www.mozilla.org/security/advisories/mfsa2018-19/","refsource":"CONFIRM","tags":["Vendor Advisory"],"title":"Security vulnerabilities fixed in Thunderbird 60 — Mozilla","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2018-12368","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-12368","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2018","cve_id":"12368","vulnerable":"-1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"microsoft","cpe5":"windows_10","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"12368","vulnerable":"0","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"microsoft","cpe5":"windows_10","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"12368","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"firefox","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"12368","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"firefox","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"12368","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"firefox_esr","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"12368","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"firefox_esr","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"12368","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"thunderbird","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"12368","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"thunderbird","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2018-12368","qid":"710279","title":"Gentoo Linux Mozilla Firefox Multiple Vulnerabilities (GLSA 201810-01)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"security@mozilla.org","ID":"CVE-2018-12368","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"Thunderbird","version":{"version_data":[{"version_affected":"<","version_value":"60"},{"version_affected":"<","version_value":"52.9"}]}},{"product_name":"Firefox ESR","version":{"version_data":[{"version_affected":"<","version_value":"60.1"},{"version_affected":"<","version_value":"52.9"}]}},{"product_name":"Firefox","version":{"version_data":[{"version_affected":"<","version_value":"61"}]}}]},"vendor_name":"Mozilla"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Windows 10 does not warn users before opening executable files with the SettingContent-ms extension even when they have been downloaded from the internet and have the \"Mark of the Web.\" Without the warning, unsuspecting users unfamiliar with this new file type might run an unwanted executable. This also allows a WebExtension with the limited downloads.open permission to execute arbitrary code without user interaction on Windows 10 systems. *Note: this issue only affects Windows operating systems. Other operating systems are unaffected.*. This vulnerability affects Thunderbird < 60, Thunderbird < 52.9, Firefox ESR < 60.1, Firefox ESR < 52.9, and Firefox < 61."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"No warning when opening executable SettingContent-ms files"}]}]},"references":{"reference_data":[{"name":"https://bugzilla.mozilla.org/show_bug.cgi?id=1468217","refsource":"CONFIRM","url":"https://bugzilla.mozilla.org/show_bug.cgi?id=1468217"},{"name":"GLSA-201810-01","refsource":"GENTOO","url":"https://security.gentoo.org/glsa/201810-01"},{"name":"https://www.mozilla.org/security/advisories/mfsa2018-15/","refsource":"CONFIRM","url":"https://www.mozilla.org/security/advisories/mfsa2018-15/"},{"name":"https://www.mozilla.org/security/advisories/mfsa2018-18/","refsource":"CONFIRM","url":"https://www.mozilla.org/security/advisories/mfsa2018-18/"},{"name":"https://www.mozilla.org/security/advisories/mfsa2018-16/","refsource":"CONFIRM","url":"https://www.mozilla.org/security/advisories/mfsa2018-16/"},{"name":"https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39","refsource":"MISC","url":"https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39"},{"name":"104560","refsource":"BID","url":"http://www.securityfocus.com/bid/104560"},{"name":"1041193","refsource":"SECTRACK","url":"http://www.securitytracker.com/id/1041193"},{"name":"https://www.mozilla.org/security/advisories/mfsa2018-19/","refsource":"CONFIRM","url":"https://www.mozilla.org/security/advisories/mfsa2018-19/"},{"name":"https://www.mozilla.org/security/advisories/mfsa2018-17/","refsource":"CONFIRM","url":"https://www.mozilla.org/security/advisories/mfsa2018-17/"}]}},"nvd":{"publishedDate":"2018-10-18 13:29:00","lastModifiedDate":"2019-10-03 00:03:00","problem_types":["NVD-CWE-noinfo"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":8.1,"baseSeverity":"HIGH"},"exploitabilityScore":2.2,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:C/I:C/A:C","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"COMPLETE","integrityImpact":"COMPLETE","availabilityImpact":"COMPLETE","baseScore":9.3},"severity":"HIGH","exploitabilityScore":8.6,"impactScore":10,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"AND","children":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*","versionEndExcluding":"61.0","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*","versionEndExcluding":"52.9","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*","versionStartIncluding":"53.0","versionEndExcluding":"60.1.0","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*","versionEndExcluding":"52.9","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":false,"cpe23Uri":"cpe:2.3:o:microsoft:windows_10:*:*:*:*:*:*:*:*","cpe_name":[]}]}],"cpe_match":[]}]}},"legacy_mitre":{"record":{"CveYear":"2018","CveId":"12368","Ordinal":"128886","Title":"CVE-2018-12368","CVE":"CVE-2018-12368","Year":"2018"},"notes":[{"CveYear":"2018","CveId":"12368","Ordinal":"1","NoteData":"Windows 10 does not warn users before opening executable files with the SettingContent-ms extension even when they have been downloaded from the internet and have the \"Mark of the Web.\" Without the warning, unsuspecting users unfamiliar with this new file type might run an unwanted executable. This also allows a WebExtension with the limited downloads.open permission to execute arbitrary code without user interaction on Windows 10 systems. *Note: this issue only affects Windows operating systems. Other operating systems are unaffected.*. This vulnerability affects Thunderbird < 60, Thunderbird < 52.9, Firefox ESR < 60.1, Firefox ESR < 52.9, and Firefox < 61.","Type":"Description","Title":null},{"CveYear":"2018","CveId":"12368","Ordinal":"2","NoteData":"2018-10-18","Type":"Other","Title":"Published"},{"CveYear":"2018","CveId":"12368","Ordinal":"3","NoteData":"2018-10-20","Type":"Other","Title":"Modified"}]}}}