{"api_version":"1","generated_at":"2026-04-23T11:33:08+00:00","cve":"CVE-2018-5142","urls":{"html":"https://cve.report/CVE-2018-5142","api":"https://cve.report/api/cve/CVE-2018-5142.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2018-5142","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2018-5142"},"summary":{"title":"CVE-2018-5142","description":"If Media Capture and Streams API permission is requested from documents with \"data:\" or \"blob:\" URLs, the permission notifications do not properly display the originating domain. The notification states \"Unknown protocol\" as the requestee, leading to user confusion about which site is asking for this permission. This vulnerability affects Firefox < 59.","state":"PUBLIC","assigner":"security@mozilla.org","published_at":"2018-06-11 21:29:00","updated_at":"2019-10-03 00:03:00"},"problem_types":["NVD-CWE-noinfo"],"metrics":[],"references":[{"url":"https://www.mozilla.org/security/advisories/mfsa2018-06/","name":"https://www.mozilla.org/security/advisories/mfsa2018-06/","refsource":"CONFIRM","tags":["Vendor Advisory"],"title":"Security vulnerabilities fixed in Firefox 59 — Mozilla","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securitytracker.com/id/1040514","name":"1040514","refsource":"SECTRACK","tags":["Third Party Advisory","VDB Entry"],"title":"Mozilla Firefox Multiple Bugs Let Remote Users Spoof URLs, Bypass Security Restrictions, Deny Service, Obtain Potentially Sensitive Information, and Execute Arbitrary Code - SecurityTracker","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securityfocus.com/bid/103386","name":"103386","refsource":"BID","tags":["Third Party Advisory","VDB Entry"],"title":"Mozilla Firefox MFSA2018-06 Multiple Security Vulnerabilities","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://usn.ubuntu.com/3596-1/","name":"USN-3596-1","refsource":"UBUNTU","tags":["Third Party Advisory"],"title":"USN-3596-1: Firefox vulnerabilities | Ubuntu security notices | Ubuntu","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://bugzilla.mozilla.org/show_bug.cgi?id=1366357","name":"https://bugzilla.mozilla.org/show_bug.cgi?id=1366357","refsource":"CONFIRM","tags":["Permissions Required"],"title":"1366357 - (CVE-2018-5142) Media Capture and Streams API permission does not inherit requester's origin","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2018-5142","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-5142","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2018","cve_id":"5142","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"canonical","cpe5":"ubuntu_linux","cpe6":"14.04","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"lts","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"5142","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"canonical","cpe5":"ubuntu_linux","cpe6":"16.04","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"lts","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"5142","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"canonical","cpe5":"ubuntu_linux","cpe6":"17.10","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"5142","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"canonical","cpe5":"ubuntu_linux","cpe6":"14.04","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"lts","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"5142","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"canonical","cpe5":"ubuntu_linux","cpe6":"16.04","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"lts","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"5142","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"canonical","cpe5":"ubuntu_linux","cpe6":"17.10","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"5142","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"firefox","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"5142","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"firefox","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2018-5142","qid":"690626","title":"Free Berkeley Software Distribution (FreeBSD) Security Update for mozilla (c71cdc95-3c18-45b7-866a-af28b59aabb5)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"security@mozilla.org","ID":"CVE-2018-5142","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"Firefox","version":{"version_data":[{"version_affected":"<","version_value":"59"}]}}]},"vendor_name":"Mozilla"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"If Media Capture and Streams API permission is requested from documents with \"data:\" or \"blob:\" URLs, the permission notifications do not properly display the originating domain. The notification states \"Unknown protocol\" as the requestee, leading to user confusion about which site is asking for this permission. This vulnerability affects Firefox < 59."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Media Capture and Streams API permissions display incorrect origin with data: and blob: URLs"}]}]},"references":{"reference_data":[{"name":"103386","refsource":"BID","url":"http://www.securityfocus.com/bid/103386"},{"name":"https://bugzilla.mozilla.org/show_bug.cgi?id=1366357","refsource":"CONFIRM","url":"https://bugzilla.mozilla.org/show_bug.cgi?id=1366357"},{"name":"1040514","refsource":"SECTRACK","url":"http://www.securitytracker.com/id/1040514"},{"name":"USN-3596-1","refsource":"UBUNTU","url":"https://usn.ubuntu.com/3596-1/"},{"name":"https://www.mozilla.org/security/advisories/mfsa2018-06/","refsource":"CONFIRM","url":"https://www.mozilla.org/security/advisories/mfsa2018-06/"}]}},"nvd":{"publishedDate":"2018-06-11 21:29:00","lastModifiedDate":"2019-10-03 00:03:00","problem_types":["NVD-CWE-noinfo"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE","baseScore":5.3,"baseSeverity":"MEDIUM"},"exploitabilityScore":3.9,"impactScore":1.4},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:N/I:P/A:N","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":5},"severity":"MEDIUM","exploitabilityScore":10,"impactScore":2.9,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*","versionEndExcluding":"59.0","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2018","CveId":"5142","Ordinal":"121096","Title":"CVE-2018-5142","CVE":"CVE-2018-5142","Year":"2018"},"notes":[{"CveYear":"2018","CveId":"5142","Ordinal":"1","NoteData":"If Media Capture and Streams API permission is requested from documents with \"data:\" or \"blob:\" URLs, the permission notifications do not properly display the originating domain. The notification states \"Unknown protocol\" as the requestee, leading to user confusion about which site is asking for this permission. This vulnerability affects Firefox < 59.","Type":"Description","Title":null},{"CveYear":"2018","CveId":"5142","Ordinal":"2","NoteData":"2018-06-11","Type":"Other","Title":"Published"},{"CveYear":"2018","CveId":"5142","Ordinal":"3","NoteData":"2018-06-12","Type":"Other","Title":"Modified"}]}}}