{"api_version":"1","generated_at":"2026-04-23T11:33:06+00:00","cve":"CVE-2018-5135","urls":{"html":"https://cve.report/CVE-2018-5135","api":"https://cve.report/api/cve/CVE-2018-5135.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2018-5135","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2018-5135"},"summary":{"title":"CVE-2018-5135","description":"WebExtensions can bypass normal restrictions in some circumstances and use \"browser.tabs.executeScript\" to inject scripts into contexts where this should not be allowed, such as pages from other WebExtensions or unprivileged \"about:\" pages. This vulnerability affects Firefox < 59.","state":"PUBLIC","assigner":"security@mozilla.org","published_at":"2018-06-11 21:29:00","updated_at":"2019-10-03 00:03:00"},"problem_types":["CWE-862"],"metrics":[],"references":[{"url":"https://www.mozilla.org/security/advisories/mfsa2018-06/","name":"https://www.mozilla.org/security/advisories/mfsa2018-06/","refsource":"CONFIRM","tags":["Vendor Advisory"],"title":"Security vulnerabilities fixed in Firefox 59 — Mozilla","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securitytracker.com/id/1040514","name":"1040514","refsource":"SECTRACK","tags":["Third Party Advisory","VDB Entry"],"title":"Mozilla Firefox Multiple Bugs Let Remote Users Spoof URLs, Bypass Security Restrictions, Deny Service, Obtain Potentially Sensitive Information, and Execute Arbitrary Code - SecurityTracker","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://bugzilla.mozilla.org/show_bug.cgi?id=1431371","name":"https://bugzilla.mozilla.org/show_bug.cgi?id=1431371","refsource":"CONFIRM","tags":["Permissions Required"],"title":"1431371 - (CVE-2018-5135) activeTab permission allows executing scripts on pages it shouldn't","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securityfocus.com/bid/103386","name":"103386","refsource":"BID","tags":["Third Party Advisory","VDB Entry"],"title":"Mozilla Firefox MFSA2018-06 Multiple Security Vulnerabilities","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://usn.ubuntu.com/3596-1/","name":"USN-3596-1","refsource":"UBUNTU","tags":["Third Party Advisory"],"title":"USN-3596-1: Firefox vulnerabilities | Ubuntu security notices | Ubuntu","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2018-5135","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-5135","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2018","cve_id":"5135","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"firefox","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"5135","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"firefox","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2018-5135","qid":"690626","title":"Free Berkeley Software Distribution (FreeBSD) Security Update for mozilla (c71cdc95-3c18-45b7-866a-af28b59aabb5)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"security@mozilla.org","ID":"CVE-2018-5135","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"Firefox","version":{"version_data":[{"version_affected":"<","version_value":"59"}]}}]},"vendor_name":"Mozilla"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"WebExtensions can bypass normal restrictions in some circumstances and use \"browser.tabs.executeScript\" to inject scripts into contexts where this should not be allowed, such as pages from other WebExtensions or unprivileged \"about:\" pages. This vulnerability affects Firefox < 59."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"WebExtension browserAction can inject scripts into unintended contexts"}]}]},"references":{"reference_data":[{"name":"103386","refsource":"BID","url":"http://www.securityfocus.com/bid/103386"},{"name":"https://bugzilla.mozilla.org/show_bug.cgi?id=1431371","refsource":"CONFIRM","url":"https://bugzilla.mozilla.org/show_bug.cgi?id=1431371"},{"name":"1040514","refsource":"SECTRACK","url":"http://www.securitytracker.com/id/1040514"},{"name":"USN-3596-1","refsource":"UBUNTU","url":"https://usn.ubuntu.com/3596-1/"},{"name":"https://www.mozilla.org/security/advisories/mfsa2018-06/","refsource":"CONFIRM","url":"https://www.mozilla.org/security/advisories/mfsa2018-06/"}]}},"nvd":{"publishedDate":"2018-06-11 21:29:00","lastModifiedDate":"2019-10-03 00:03:00","problem_types":["CWE-862"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE","baseScore":7.5,"baseSeverity":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:N/I:P/A:N","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":5},"severity":"MEDIUM","exploitabilityScore":10,"impactScore":2.9,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*","versionEndExcluding":"59.0","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2018","CveId":"5135","Ordinal":"121089","Title":"CVE-2018-5135","CVE":"CVE-2018-5135","Year":"2018"},"notes":[{"CveYear":"2018","CveId":"5135","Ordinal":"1","NoteData":"WebExtensions can bypass normal restrictions in some circumstances and use \"browser.tabs.executeScript\" to inject scripts into contexts where this should not be allowed, such as pages from other WebExtensions or unprivileged \"about:\" pages. This vulnerability affects Firefox < 59.","Type":"Description","Title":null},{"CveYear":"2018","CveId":"5135","Ordinal":"2","NoteData":"2018-06-11","Type":"Other","Title":"Published"},{"CveYear":"2018","CveId":"5135","Ordinal":"3","NoteData":"2018-06-12","Type":"Other","Title":"Modified"}]}}}