Description
If a user saved passwords before Firefox 58 and then later set a master password, an unencrypted copy of these passwords is still accessible. This is because the older stored password file was not deleted when the data was copied to a new format starting in Firefox 58. The new master password is added only on the new file. This could allow the exposure of stored password data outside of user expectations. This vulnerability affects Firefox < 62, Firefox ESR < 60.2.1, and Thunderbird < 60.2.1.
References (18)
Core 18
Core References
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/201810-01
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2018/11/msg00011.html
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/201811-13
Exploit, Issue Tracking, Vendor Advisory x_refsource_confirm
https://bugzilla.mozilla.org/show_bug.cgi?id=1475775
Third Party Advisory vendor-advisory
x_refsource_debian
https://www.debian.org/security/2018/dsa-4327
Vendor Advisory x_refsource_confirm
https://www.mozilla.org/security/advisories/mfsa2018-23/
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:2835
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:3403
Vendor Advisory x_refsource_confirm
https://www.mozilla.org/security/advisories/mfsa2018-20/
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1041610
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/105276
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1041701
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:3458
Third Party Advisory vendor-advisory
x_refsource_debian
https://www.debian.org/security/2018/dsa-4304
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:2834
Third Party Advisory vendor-advisory
x_refsource_ubuntu
https://usn.ubuntu.com/3793-1/
Vendor Advisory x_refsource_confirm
https://www.mozilla.org/security/advisories/mfsa2018-25/
Third Party Advisory vendor-advisory
x_refsource_ubuntu
https://usn.ubuntu.com/3761-1/
Scores
CVSS v3
5.5
EPSS
0.0008
EPSS Percentile
23.4%
Attack Vector
LOCAL
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-522
Status
published
Products (18)
canonical/ubuntu_linux
14.04
canonical/ubuntu_linux
16.04
canonical/ubuntu_linux
18.04
debian/debian_linux
8.0
debian/debian_linux
9.0
mozilla/firefox
< 62.0
mozilla/firefox_esr
< 60.2.1
mozilla/thunderbird
< 60.2.1
redhat/enterprise_linux_desktop
6.0
redhat/enterprise_linux_desktop
7.0
... and 8 more
Published
Oct 18, 2018
Tracked Since
Feb 18, 2026