CVE-2018-12391
HIGHFirefox for Android < 63.0 - Incorrect Authorization via HTTP Live Stream Playback
Title source: llmDescription
During HTTP Live Stream playback on Firefox for Android, audio data can be accessed across origins in violation of security policies. Because the problem is in the underlying Android service, this issue is addressed by treating all HLS streams as cross-origin and opaque to access. *Note: this issue only affects Firefox for Android. Desktop versions of Firefox are unaffected.*. This vulnerability affects Firefox < 63, Firefox ESR < 60.3, and Thunderbird < 60.3.
References (8)
Core 8
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/105769
Vendor Advisory x_refsource_confirm
https://www.mozilla.org/security/advisories/mfsa2018-28/
Vendor Advisory x_refsource_confirm
https://www.mozilla.org/security/advisories/mfsa2018-26/
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/201811-13
Vendor Advisory x_refsource_confirm
https://www.mozilla.org/security/advisories/mfsa2018-27/
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/105718
Issue Tracking, Permissions Required, Vendor Advisory x_refsource_confirm
https://bugzilla.mozilla.org/show_bug.cgi?id=1478843
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1041944
Scores
CVSS v3
8.8
EPSS
0.0055
EPSS Percentile
68.0%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Details
CWE
CWE-863
Status
published
Products (3)
mozilla/firefox
< 63.0
mozilla/firefox_esr
< 60.3
mozilla/thunderbird
< 60.3
Published
Feb 28, 2019
Tracked Since
Feb 18, 2026