CVE-2018-18506
moderate-risk
Published 2019-02-05
When proxy auto-detection is enabled, if a web server serves a Proxy Auto-Configuration (PAC) file or if a PAC file is loaded locally, this PAC file can specify that requests to the localhost are to be sent through the proxy to another server. This behavior is disallowed by default when a proxy is manually configured, but when enabled could allow for attacks on services and tools that bind to the localhost for networked behavior if they are accessed through browsing. This vulnerability affects Firefox < 65.
Do I need to act?
~
2.4% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.9/10
Medium
NETWORK
/ HIGH complexity
Affected Products (20)
References (42)
Broken Link
http://www.securityfocus.com/bid/106773
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:0622
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:0623
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:0680
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:0681
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:0966
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:1144
Mailing List
https://seclists.org/bugtraq/2019/Apr/0
Mailing List
https://seclists.org/bugtraq/2019/Mar/28
Third Party Advisory
https://security.gentoo.org/glsa/201904-07
Third Party Advisory
https://usn.ubuntu.com/3874-1/
Third Party Advisory
https://usn.ubuntu.com/3927-1/
Third Party Advisory
https://www.debian.org/security/2019/dsa-4411
Third Party Advisory
https://www.debian.org/security/2019/dsa-4420
and 22 more references
45
/ 100
moderate-risk
Severity
18/34 · Moderate
Exploitability
5/34 · Minimal
Exposure
22/34 · High