{"document":{"aggregate_severity":{"namespace":"https://www.suse.com/support/security/rating/","text":"important"},"category":"csaf_vex","csaf_version":"2.0","distribution":{"text":"Copyright 2024 SUSE LLC. All rights reserved.","tlp":{"label":"WHITE","url":"https://www.first.org/tlp/"}},"lang":"en","notes":[{"category":"summary","text":"SUSE CVE-2018-12402","title":"Title"},{"category":"description","text":"The internal WebBrowserPersist code does not use correct origin context for a resource being saved. This manifests when sub-resources are loaded as part of \"Save Page As...\" functionality. For example, a malicious page could recover a visitor's Windows username and NTLM hash by including resources otherwise unreachable to the malicious page, if they can convince the visitor to save the complete web page. Similarly, SameSite cookies are sent on cross-origin requests when the \"Save Page As...\" menu item is selected to save a page, which can result in saving the wrong version of resources based on those cookies. This vulnerability affects Firefox < 63.","title":"Description of the CVE"},{"category":"legal_disclaimer","text":"CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).","title":"Terms of use"}],"publisher":{"category":"vendor","contact_details":"https://www.suse.com/support/security/contact/","name":"SUSE Product Security Team","namespace":"https://www.suse.com/"},"references":[{"category":"external","summary":"CVE-2018-12402","url":"https://www.suse.com/security/cve/CVE-2018-12402"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"SUSE Bug 1112852 for CVE-2018-12402","url":"https://bugzilla.suse.com/1112852"},{"category":"external","summary":"Advisory link for openSUSE-SU-2024:14572-1","url":"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/3HI2RC7AJAHY74Q6MK7GNGWU6TITB22V/"}],"title":"SUSE CVE CVE-2018-12402","tracking":{"current_release_date":"2025-12-14T02:34:51Z","generator":{"date":"2023-02-15T04:26:33Z","engine":{"name":"cve-database.git:bin/generate-csaf-vex.pl","version":"1"}},"id":"CVE-2018-12402","initial_release_date":"2023-02-15T04:26:33Z","revision_history":[{"date":"2023-02-15T04:26:33Z","number":"2","summary":"Current version"},{"date":"2024-12-13T02:18:13Z","number":"3","summary":"Current version"},{"date":"2024-12-21T04:00:35Z","number":"4","summary":"Current version"},{"date":"2025-01-01T07:36:05Z","number":"5","summary":"Current version"},{"date":"2025-01-10T04:00:11Z","number":"6","summary":"Current version"},{"date":"2025-03-14T04:00:06Z","number":"7","summary":"Current version"},{"date":"2025-03-15T12:04:21Z","number":"8","summary":"Current version"},{"date":"2025-04-25T06:59:31Z","number":"9","summary":"Current version"},{"date":"2025-05-01T06:29:45Z","number":"10","summary":"Current version"},{"date":"2025-06-27T01:19:01Z","number":"11","summary":"Current version"},{"date":"2025-07-01T02:15:06Z","number":"12","summary":"Current version"},{"date":"2025-09-07T00:09:17Z","number":"13","summary":"Current version"},{"date":"2025-12-14T02:34:51Z","number":"14","summary":"unknown changes"}],"status":"interim","version":"14"}},"product_tree":{"branches":[{"branches":[{"branches":[{"category":"product_name","name":"SUSE Linux Enterprise Server 11 SP1 for Teradata","product":{"name":"SUSE Linux Enterprise Server 11 SP1 for Teradata","product_id":"SUSE Linux Enterprise Server 11 SP1 for Teradata","product_identification_helper":{"cpe":"cpe:/o:suse:suse_sles_teradata:11:sp1"}}},{"category":"product_name","name":"openSUSE Tumbleweed","product":{"name":"openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed","product_identification_helper":{"cpe":"cpe:/o:opensuse:tumbleweed"}}},{"category":"product_version","name":"MozillaFirefox","product":{"name":"MozillaFirefox","product_id":"MozillaFirefox","product_identification_helper":{"cpe":"cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*","purl":"pkg:rpm/suse/MozillaFirefox@?upstream=MozillaFirefox.src.rpm"}}},{"category":"product_version","name":"MozillaFirefox-92.0-1.2","product":{"name":"MozillaFirefox-92.0-1.2","product_id":"MozillaFirefox-92.0-1.2","product_identification_helper":{"cpe":"cpe:2.3:a:mozilla:firefox:92.0:*:*:*:*:*:*:*","purl":"pkg:rpm/suse/MozillaFirefox@92.0-1.2?upstream=MozillaFirefox-92.0-1.2.src.rpm"}}},{"category":"product_version","name":"MozillaFirefox-branding-upstream-92.0-1.2","product":{"name":"MozillaFirefox-branding-upstream-92.0-1.2","product_id":"MozillaFirefox-branding-upstream-92.0-1.2","product_identification_helper":{"cpe":"cpe:2.3:a:mozilla:firefox:92.0:*:*:*:*:*:*:*","purl":"pkg:rpm/suse/MozillaFirefox-branding-upstream@92.0-1.2?upstream=MozillaFirefox-92.0-1.2.src.rpm"}}},{"category":"product_version","name":"MozillaFirefox-devel-92.0-1.2","product":{"name":"MozillaFirefox-devel-92.0-1.2","product_id":"MozillaFirefox-devel-92.0-1.2","product_identification_helper":{"cpe":"cpe:2.3:a:mozilla:firefox:92.0:*:*:*:*:*:*:*","purl":"pkg:rpm/suse/MozillaFirefox-devel@92.0-1.2?upstream=MozillaFirefox-92.0-1.2.src.rpm"}}},{"category":"product_version","name":"MozillaFirefox-translations-common-92.0-1.2","product":{"name":"MozillaFirefox-translations-common-92.0-1.2","product_id":"MozillaFirefox-translations-common-92.0-1.2","product_identification_helper":{"cpe":"cpe:2.3:a:mozilla:firefox:92.0:*:*:*:*:*:*:*","purl":"pkg:rpm/suse/MozillaFirefox-translations-common@92.0-1.2?upstream=MozillaFirefox-92.0-1.2.src.rpm"}}},{"category":"product_version","name":"MozillaFirefox-translations-other-92.0-1.2","product":{"name":"MozillaFirefox-translations-other-92.0-1.2","product_id":"MozillaFirefox-translations-other-92.0-1.2","product_identification_helper":{"cpe":"cpe:2.3:a:mozilla:firefox:92.0:*:*:*:*:*:*:*","purl":"pkg:rpm/suse/MozillaFirefox-translations-other@92.0-1.2?upstream=MozillaFirefox-92.0-1.2.src.rpm"}}},{"category":"product_version","name":"firefox-esr-128.5.1-1.1","product":{"name":"firefox-esr-128.5.1-1.1","product_id":"firefox-esr-128.5.1-1.1","product_identification_helper":{"purl":"pkg:rpm/suse/firefox-esr@128.5.1-1.1"}}},{"category":"product_version","name":"firefox-esr-branding-upstream-128.5.1-1.1","product":{"name":"firefox-esr-branding-upstream-128.5.1-1.1","product_id":"firefox-esr-branding-upstream-128.5.1-1.1","product_identification_helper":{"purl":"pkg:rpm/suse/firefox-esr-branding-upstream@128.5.1-1.1"}}},{"category":"product_version","name":"firefox-esr-translations-common-128.5.1-1.1","product":{"name":"firefox-esr-translations-common-128.5.1-1.1","product_id":"firefox-esr-translations-common-128.5.1-1.1","product_identification_helper":{"purl":"pkg:rpm/suse/firefox-esr-translations-common@128.5.1-1.1"}}},{"category":"product_version","name":"firefox-esr-translations-other-128.5.1-1.1","product":{"name":"firefox-esr-translations-other-128.5.1-1.1","product_id":"firefox-esr-translations-other-128.5.1-1.1","product_identification_helper":{"purl":"pkg:rpm/suse/firefox-esr-translations-other@128.5.1-1.1"}}}],"category":"product_family","name":"SUSE Linux Enterprise"}],"category":"vendor","name":"SUSE"}],"relationships":[{"category":"default_component_of","full_product_name":{"name":"MozillaFirefox-92.0-1.2 as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:MozillaFirefox-92.0-1.2"},"product_reference":"MozillaFirefox-92.0-1.2","relates_to_product_reference":"openSUSE Tumbleweed"},{"category":"default_component_of","full_product_name":{"name":"MozillaFirefox-branding-upstream-92.0-1.2 as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:MozillaFirefox-branding-upstream-92.0-1.2"},"product_reference":"MozillaFirefox-branding-upstream-92.0-1.2","relates_to_product_reference":"openSUSE Tumbleweed"},{"category":"default_component_of","full_product_name":{"name":"MozillaFirefox-devel-92.0-1.2 as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:MozillaFirefox-devel-92.0-1.2"},"product_reference":"MozillaFirefox-devel-92.0-1.2","relates_to_product_reference":"openSUSE Tumbleweed"},{"category":"default_component_of","full_product_name":{"name":"MozillaFirefox-translations-common-92.0-1.2 as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:MozillaFirefox-translations-common-92.0-1.2"},"product_reference":"MozillaFirefox-translations-common-92.0-1.2","relates_to_product_reference":"openSUSE Tumbleweed"},{"category":"default_component_of","full_product_name":{"name":"MozillaFirefox-translations-other-92.0-1.2 as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:MozillaFirefox-translations-other-92.0-1.2"},"product_reference":"MozillaFirefox-translations-other-92.0-1.2","relates_to_product_reference":"openSUSE Tumbleweed"},{"category":"default_component_of","full_product_name":{"name":"firefox-esr-128.5.1-1.1 as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:firefox-esr-128.5.1-1.1"},"product_reference":"firefox-esr-128.5.1-1.1","relates_to_product_reference":"openSUSE Tumbleweed"},{"category":"default_component_of","full_product_name":{"name":"firefox-esr-branding-upstream-128.5.1-1.1 as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:firefox-esr-branding-upstream-128.5.1-1.1"},"product_reference":"firefox-esr-branding-upstream-128.5.1-1.1","relates_to_product_reference":"openSUSE Tumbleweed"},{"category":"default_component_of","full_product_name":{"name":"firefox-esr-translations-common-128.5.1-1.1 as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:firefox-esr-translations-common-128.5.1-1.1"},"product_reference":"firefox-esr-translations-common-128.5.1-1.1","relates_to_product_reference":"openSUSE Tumbleweed"},{"category":"default_component_of","full_product_name":{"name":"firefox-esr-translations-other-128.5.1-1.1 as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:firefox-esr-translations-other-128.5.1-1.1"},"product_reference":"firefox-esr-translations-other-128.5.1-1.1","relates_to_product_reference":"openSUSE Tumbleweed"},{"category":"default_component_of","full_product_name":{"name":"MozillaFirefox as component of SLES for SAP Applications 11 SP3","product_id":"SLES for SAP Applications 11 SP3:MozillaFirefox"},"product_reference":"MozillaFirefox","relates_to_product_reference":"SLES for SAP Applications 11 SP3"},{"category":"default_component_of","full_product_name":{"name":"MozillaFirefox as component of SUSE Linux Enterprise Server 11 SP1 for Teradata","product_id":"SUSE Linux Enterprise Server 11 SP1 for Teradata:MozillaFirefox"},"product_reference":"MozillaFirefox","relates_to_product_reference":"SUSE Linux Enterprise Server 11 SP1 for Teradata"},{"category":"default_component_of","full_product_name":{"name":"MozillaFirefox as component of SUSE Linux Enterprise Server 11 SP3 LTSS","product_id":"SUSE Linux Enterprise Server 11 SP3 LTSS:MozillaFirefox"},"product_reference":"MozillaFirefox","relates_to_product_reference":"SUSE Linux Enterprise Server 11 SP3 LTSS"},{"category":"default_component_of","full_product_name":{"name":"MozillaFirefox as component of SUSE Linux Enterprise Server 11 SP4-LTSS","product_id":"SUSE Linux Enterprise Server 11 SP4-LTSS:MozillaFirefox"},"product_reference":"MozillaFirefox","relates_to_product_reference":"SUSE Linux Enterprise Server 11 SP4-LTSS"},{"category":"default_component_of","full_product_name":{"name":"MozillaFirefox-translations-common as component of SUSE Linux Enterprise Server 11 SP4-LTSS","product_id":"SUSE Linux Enterprise Server 11 SP4-LTSS:MozillaFirefox-translations-common"},"product_reference":"MozillaFirefox-translations-common","relates_to_product_reference":"SUSE Linux Enterprise Server 11 SP4-LTSS"},{"category":"default_component_of","full_product_name":{"name":"MozillaFirefox-translations-other as component of SUSE Linux Enterprise Server 11 SP4-LTSS","product_id":"SUSE Linux Enterprise Server 11 SP4-LTSS:MozillaFirefox-translations-other"},"product_reference":"MozillaFirefox-translations-other","relates_to_product_reference":"SUSE Linux Enterprise Server 11 SP4-LTSS"},{"category":"default_component_of","full_product_name":{"name":"MozillaFirefox as component of SUSE Linux Enterprise Server for SAP Applications 12","product_id":"SUSE Linux Enterprise Server for SAP Applications 12:MozillaFirefox"},"product_reference":"MozillaFirefox","relates_to_product_reference":"SUSE Linux Enterprise Server for SAP Applications 12"},{"category":"default_component_of","full_product_name":{"name":"MozillaFirefox-devel as component of SUSE Linux Enterprise Server 11 SP4","product_id":"SUSE Linux Enterprise Server 11 SP4:MozillaFirefox-devel"},"product_reference":"MozillaFirefox-devel","relates_to_product_reference":"SUSE Linux Enterprise Server 11 SP4"},{"category":"default_component_of","full_product_name":{"name":"MozillaFirefox as component of SUSE Linux Enterprise Server 11 SP4","product_id":"SUSE Linux Enterprise Server 11 SP4:MozillaFirefox"},"product_reference":"MozillaFirefox","relates_to_product_reference":"SUSE Linux Enterprise Server 11 SP4"},{"category":"default_component_of","full_product_name":{"name":"MozillaFirefox-devel as component of SUSE Linux Enterprise Server for SAP Applications 11 SP4","product_id":"SUSE Linux Enterprise Server for SAP Applications 11 SP4:MozillaFirefox-devel"},"product_reference":"MozillaFirefox-devel","relates_to_product_reference":"SUSE Linux Enterprise Server for SAP Applications 11 SP4"},{"category":"default_component_of","full_product_name":{"name":"MozillaFirefox as component of SUSE Linux Enterprise Server for SAP Applications 11 SP4","product_id":"SUSE Linux Enterprise Server for SAP Applications 11 SP4:MozillaFirefox"},"product_reference":"MozillaFirefox","relates_to_product_reference":"SUSE Linux Enterprise Server for SAP Applications 11 SP4"},{"category":"default_component_of","full_product_name":{"name":"MozillaFirefox-devel as component of SUSE Linux Enterprise Desktop 11 SP4","product_id":"SUSE Linux Enterprise Desktop 11 SP4:MozillaFirefox-devel"},"product_reference":"MozillaFirefox-devel","relates_to_product_reference":"SUSE Linux Enterprise Desktop 11 SP4"},{"category":"default_component_of","full_product_name":{"name":"MozillaFirefox as component of SUSE Linux Enterprise Desktop 11 SP4","product_id":"SUSE Linux Enterprise Desktop 11 SP4:MozillaFirefox"},"product_reference":"MozillaFirefox","relates_to_product_reference":"SUSE Linux Enterprise Desktop 11 SP4"},{"category":"default_component_of","full_product_name":{"name":"MozillaFirefox-devel as component of SUSE Linux Enterprise Software Development Kit 11 SP4","product_id":"SUSE Linux Enterprise Software Development Kit 11 SP4:MozillaFirefox-devel"},"product_reference":"MozillaFirefox-devel","relates_to_product_reference":"SUSE Linux Enterprise Software Development Kit 11 SP4"},{"category":"default_component_of","full_product_name":{"name":"MozillaFirefox as component of SUSE Linux Enterprise Software Development Kit 11 SP4","product_id":"SUSE Linux Enterprise Software Development Kit 11 SP4:MozillaFirefox"},"product_reference":"MozillaFirefox","relates_to_product_reference":"SUSE Linux Enterprise Software Development Kit 11 SP4"}]},"vulnerabilities":[{"cve":"CVE-2018-12402","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2018-12402"}],"notes":[{"category":"general","text":"The internal WebBrowserPersist code does not use correct origin context for a resource being saved. This manifests when sub-resources are loaded as part of \"Save Page As...\" functionality. For example, a malicious page could recover a visitor's Windows username and NTLM hash by including resources otherwise unreachable to the malicious page, if they can convince the visitor to save the complete web page. Similarly, SameSite cookies are sent on cross-origin requests when the \"Save Page As...\" menu item is selected to save a page, which can result in saving the wrong version of resources based on those cookies. This vulnerability affects Firefox < 63.","title":"CVE description"}],"product_status":{"known_affected":["SUSE Linux Enterprise Server 11 SP1 for Teradata:MozillaFirefox"],"recommended":["openSUSE Tumbleweed:MozillaFirefox-92.0-1.2","openSUSE Tumbleweed:MozillaFirefox-branding-upstream-92.0-1.2","openSUSE Tumbleweed:MozillaFirefox-devel-92.0-1.2","openSUSE Tumbleweed:MozillaFirefox-translations-common-92.0-1.2","openSUSE Tumbleweed:MozillaFirefox-translations-other-92.0-1.2","openSUSE Tumbleweed:firefox-esr-128.5.1-1.1","openSUSE Tumbleweed:firefox-esr-branding-upstream-128.5.1-1.1","openSUSE Tumbleweed:firefox-esr-translations-common-128.5.1-1.1","openSUSE Tumbleweed:firefox-esr-translations-other-128.5.1-1.1"]},"references":[{"category":"external","summary":"CVE-2018-12402","url":"https://www.suse.com/security/cve/CVE-2018-12402"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"SUSE Bug 1112852 for CVE-2018-12402","url":"https://bugzilla.suse.com/1112852"},{"category":"external","summary":"Advisory link for openSUSE-SU-2024:14572-1","url":"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/3HI2RC7AJAHY74Q6MK7GNGWU6TITB22V/"}],"remediations":[{"category":"vendor_fix","details":"To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n","product_ids":["openSUSE Tumbleweed:MozillaFirefox-92.0-1.2","openSUSE Tumbleweed:MozillaFirefox-branding-upstream-92.0-1.2","openSUSE Tumbleweed:MozillaFirefox-devel-92.0-1.2","openSUSE Tumbleweed:MozillaFirefox-translations-common-92.0-1.2","openSUSE Tumbleweed:MozillaFirefox-translations-other-92.0-1.2","openSUSE Tumbleweed:firefox-esr-128.5.1-1.1","openSUSE Tumbleweed:firefox-esr-branding-upstream-128.5.1-1.1","openSUSE Tumbleweed:firefox-esr-translations-common-128.5.1-1.1","openSUSE Tumbleweed:firefox-esr-translations-other-128.5.1-1.1"]},{"category":"no_fix_planned","details":"There is no fix planned for these products.\n","product_ids":["SLES for SAP Applications 11 SP3:MozillaFirefox","SUSE Linux Enterprise Desktop 11 SP4:MozillaFirefox","SUSE Linux Enterprise Desktop 11 SP4:MozillaFirefox-devel","SUSE Linux Enterprise Server 11 SP3 LTSS:MozillaFirefox","SUSE Linux Enterprise Server 11 SP4-LTSS:MozillaFirefox","SUSE Linux Enterprise Server 11 SP4-LTSS:MozillaFirefox","SUSE Linux Enterprise Server 11 SP4-LTSS:MozillaFirefox-translations-common","SUSE Linux Enterprise Server 11 SP4-LTSS:MozillaFirefox-translations-common","SUSE Linux Enterprise Server 11 SP4-LTSS:MozillaFirefox-translations-other","SUSE Linux Enterprise Server 11 SP4-LTSS:MozillaFirefox-translations-other","SUSE Linux Enterprise Server 11 SP4:MozillaFirefox","SUSE Linux Enterprise Server 11 SP4:MozillaFirefox-devel","SUSE Linux Enterprise Server for SAP Applications 11 SP4:MozillaFirefox","SUSE Linux Enterprise Server for SAP Applications 11 SP4:MozillaFirefox-devel","SUSE Linux Enterprise Server for SAP Applications 12:MozillaFirefox","SUSE Linux Enterprise Software Development Kit 11 SP4:MozillaFirefox","SUSE Linux Enterprise Software Development Kit 11 SP4:MozillaFirefox-devel"]}],"scores":[{"cvss_v3":{"baseScore":6.1,"baseSeverity":"MEDIUM","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","version":"3.0"},"products":["openSUSE Tumbleweed:MozillaFirefox-92.0-1.2","openSUSE Tumbleweed:MozillaFirefox-branding-upstream-92.0-1.2","openSUSE Tumbleweed:MozillaFirefox-devel-92.0-1.2","openSUSE Tumbleweed:MozillaFirefox-translations-common-92.0-1.2","openSUSE Tumbleweed:MozillaFirefox-translations-other-92.0-1.2","openSUSE Tumbleweed:firefox-esr-128.5.1-1.1","openSUSE Tumbleweed:firefox-esr-branding-upstream-128.5.1-1.1","openSUSE Tumbleweed:firefox-esr-translations-common-128.5.1-1.1","openSUSE Tumbleweed:firefox-esr-translations-other-128.5.1-1.1"]}],"threats":[{"category":"impact","date":"2018-10-23T15:09:49Z","details":"important"}],"title":"CVE-2018-12402"}]}