{"api_version":"1","generated_at":"2026-04-23T06:18:58+00:00","cve":"CVE-2018-12391","urls":{"html":"https://cve.report/CVE-2018-12391","api":"https://cve.report/api/cve/CVE-2018-12391.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2018-12391","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2018-12391"},"summary":{"title":"CVE-2018-12391","description":"During HTTP Live Stream playback on Firefox for Android, audio data can be accessed across origins in violation of security policies. Because the problem is in the underlying Android service, this issue is addressed by treating all HLS streams as cross-origin and opaque to access. *Note: this issue only affects Firefox for Android. Desktop versions of Firefox are unaffected.*. This vulnerability affects Firefox < 63, Firefox ESR < 60.3, and Thunderbird < 60.3.","state":"PUBLIC","assigner":"security@mozilla.org","published_at":"2019-02-28 18:29:00","updated_at":"2020-08-24 17:37:00"},"problem_types":["CWE-863"],"metrics":[],"references":[{"url":"https://bugzilla.mozilla.org/show_bug.cgi?id=1478843","name":"https://bugzilla.mozilla.org/show_bug.cgi?id=1478843","refsource":"CONFIRM","tags":["Issue Tracking","Permissions Required","Vendor Advisory"],"title":"1478843 - (CVE-2018-12391) Cross-origin audio leak in HLS","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securityfocus.com/bid/105769","name":"105769","refsource":"BID","tags":["Third Party Advisory","VDB Entry"],"title":"RETIRED: Mozilla Thunderbird MFSA2018-28 Multiple Security Vulnerabilities","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://www.mozilla.org/security/advisories/mfsa2018-27/","name":"https://www.mozilla.org/security/advisories/mfsa2018-27/","refsource":"CONFIRM","tags":["Vendor Advisory"],"title":"Security vulnerabilities fixed in Firefox ESR 60.3 — Mozilla","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securityfocus.com/bid/105718","name":"105718","refsource":"BID","tags":["Third Party Advisory","VDB Entry"],"title":"Mozilla Firefox and Firefox ESR Multiple Security Vulnerabilities","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"http://www.securitytracker.com/id/1041944","name":"1041944","refsource":"SECTRACK","tags":["Third Party Advisory","VDB Entry"],"title":"Mozilla Firefox Multiple Bugs Let Remote Users Deny Service, Obtain Potentially Sensitive Information, and Execute Arbitrary Code - SecurityTracker","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.mozilla.org/security/advisories/mfsa2018-26/","name":"https://www.mozilla.org/security/advisories/mfsa2018-26/","refsource":"CONFIRM","tags":["Vendor Advisory"],"title":"Security vulnerabilities fixed in Firefox 63 — Mozilla","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.mozilla.org/security/advisories/mfsa2018-28/","name":"https://www.mozilla.org/security/advisories/mfsa2018-28/","refsource":"CONFIRM","tags":["Vendor Advisory"],"title":"Security vulnerabilities fixed in Thunderbird ESR 60.3 — Mozilla","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://security.gentoo.org/glsa/201811-13","name":"GLSA-201811-13","refsource":"GENTOO","tags":["Third Party Advisory"],"title":"Mozilla Thunderbird: Multiple vulnerabilities (GLSA 201811-13) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2018-12391","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-12391","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2018","cve_id":"12391","vulnerable":"-1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"google","cpe5":"android","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"12391","vulnerable":"0","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"google","cpe5":"android","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"12391","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"firefox","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"12391","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"firefox","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"12391","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"firefox_esr","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"12391","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"firefox_esr","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"12391","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"thunderbird","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"12391","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"thunderbird","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2018-12391","qid":"710285","title":"Gentoo Linux Mozilla Thunderbird Multiple Vulnerabilities (GLSA 201811-13)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"security@mozilla.org","ID":"CVE-2018-12391","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"Firefox","version":{"version_data":[{"version_affected":"<","version_value":"63"}]}},{"product_name":"Firefox ESR","version":{"version_data":[{"version_affected":"<","version_value":"60.3"}]}},{"product_name":"Thunderbird","version":{"version_data":[{"version_affected":"<","version_value":"60.3"}]}}]},"vendor_name":"Mozilla"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"During HTTP Live Stream playback on Firefox for Android, audio data can be accessed across origins in violation of security policies. Because the problem is in the underlying Android service, this issue is addressed by treating all HLS streams as cross-origin and opaque to access. *Note: this issue only affects Firefox for Android. Desktop versions of Firefox are unaffected.*. This vulnerability affects Firefox < 63, Firefox ESR < 60.3, and Thunderbird < 60.3."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"HTTP Live Stream audio data is accessible cross-origin"}]}]},"references":{"reference_data":[{"name":"105769","refsource":"BID","url":"http://www.securityfocus.com/bid/105769"},{"name":"https://www.mozilla.org/security/advisories/mfsa2018-28/","refsource":"CONFIRM","url":"https://www.mozilla.org/security/advisories/mfsa2018-28/"},{"name":"https://www.mozilla.org/security/advisories/mfsa2018-26/","refsource":"CONFIRM","url":"https://www.mozilla.org/security/advisories/mfsa2018-26/"},{"name":"GLSA-201811-13","refsource":"GENTOO","url":"https://security.gentoo.org/glsa/201811-13"},{"name":"https://www.mozilla.org/security/advisories/mfsa2018-27/","refsource":"CONFIRM","url":"https://www.mozilla.org/security/advisories/mfsa2018-27/"},{"name":"105718","refsource":"BID","url":"http://www.securityfocus.com/bid/105718"},{"name":"https://bugzilla.mozilla.org/show_bug.cgi?id=1478843","refsource":"CONFIRM","url":"https://bugzilla.mozilla.org/show_bug.cgi?id=1478843"},{"name":"1041944","refsource":"SECTRACK","url":"http://www.securitytracker.com/id/1041944"}]}},"nvd":{"publishedDate":"2019-02-28 18:29:00","lastModifiedDate":"2020-08-24 17:37:00","problem_types":["CWE-863"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:C/I:C/A:C","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"COMPLETE","integrityImpact":"COMPLETE","availabilityImpact":"COMPLETE","baseScore":9.3},"severity":"HIGH","exploitabilityScore":8.6,"impactScore":10,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"AND","children":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*","versionEndExcluding":"63.0","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*","versionEndExcluding":"60.3","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*","versionEndExcluding":"60.3","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":false,"cpe23Uri":"cpe:2.3:o:google:android:-:*:*:*:*:*:*:*","cpe_name":[]}]}],"cpe_match":[]}]}},"legacy_mitre":{"record":{"CveYear":"2018","CveId":"12391","Ordinal":"128909","Title":"CVE-2018-12391","CVE":"CVE-2018-12391","Year":"2018"},"notes":[{"CveYear":"2018","CveId":"12391","Ordinal":"1","NoteData":"During HTTP Live Stream playback on Firefox for Android, audio data can be accessed across origins in violation of security policies. Because the problem is in the underlying Android service, this issue is addressed by treating all HLS streams as cross-origin and opaque to access. *Note: this issue only affects Firefox for Android. Desktop versions of Firefox are unaffected.*. This vulnerability affects Firefox < 63, Firefox ESR < 60.3, and Thunderbird < 60.3.","Type":"Description","Title":null},{"CveYear":"2018","CveId":"12391","Ordinal":"2","NoteData":"2019-02-28","Type":"Other","Title":"Published"},{"CveYear":"2018","CveId":"12391","Ordinal":"3","NoteData":"2019-03-01","Type":"Other","Title":"Modified"}]}}}