CVE-2018-18506

When proxy auto-detection is enabled, if a web server serves a Proxy Auto-Configuration (PAC) file or if a PAC file is loaded locally, this PAC file can specify that requests to the localhost are to be sent through the proxy to another server. This behavior is disallowed by default when a proxy is manually configured, but when enabled could allow for attacks on services and tools that bind to the localhost for networked behavior if they are accessed through browsing. This vulnerability affects Firefox < 65.

• http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00035.htmlBroken Link, Mailing List, Third Party Advisory
• http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00043.htmlMailing List, Third Party Advisory
• http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00023.htmlMailing List, Third Party Advisory
• http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00043.htmlMailing List, Third Party Advisory
• http://www.securityfocus.com/bid/106773Broken Link, Third Party Advisory, VDB Entry
• https://access.redhat.com/errata/RHSA-2019:0622Third Party Advisory
• https://access.redhat.com/errata/RHSA-2019:0623Third Party Advisory
• https://access.redhat.com/errata/RHSA-2019:0680Third Party Advisory
• https://access.redhat.com/errata/RHSA-2019:0681Third Party Advisory
• https://access.redhat.com/errata/RHSA-2019:0966Third Party Advisory
• https://access.redhat.com/errata/RHSA-2019:1144Third Party Advisory
• https://lists.debian.org/debian-lts-announce/2019/03/msg00024.htmlMailing List, Third Party Advisory
• https://lists.debian.org/debian-lts-announce/2019/04/msg00000.htmlMailing List, Third Party Advisory
• https://seclists.org/bugtraq/2019/Apr/0Mailing List, Third Party Advisory
• https://seclists.org/bugtraq/2019/Mar/28Mailing List, Third Party Advisory
• https://security.gentoo.org/glsa/201904-07Third Party Advisory
• https://usn.ubuntu.com/3874-1/Third Party Advisory
• https://usn.ubuntu.com/3927-1/Third Party Advisory
• https://www.debian.org/security/2019/dsa-4411Third Party Advisory
• https://www.debian.org/security/2019/dsa-4420Third Party Advisory
• https://www.mozilla.org/security/advisories/mfsa2019-01/Vendor Advisory
• http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00035.htmlBroken Link, Mailing List, Third Party Advisory
• http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00043.htmlMailing List, Third Party Advisory
• http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00023.htmlMailing List, Third Party Advisory
• http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00043.htmlMailing List, Third Party Advisory
• http://www.securityfocus.com/bid/106773Broken Link, Third Party Advisory, VDB Entry
• https://access.redhat.com/errata/RHSA-2019:0622Third Party Advisory
• https://access.redhat.com/errata/RHSA-2019:0623Third Party Advisory
• https://access.redhat.com/errata/RHSA-2019:0680Third Party Advisory
• https://access.redhat.com/errata/RHSA-2019:0681Third Party Advisory
• https://access.redhat.com/errata/RHSA-2019:0966Third Party Advisory
• https://access.redhat.com/errata/RHSA-2019:1144Third Party Advisory
• https://lists.debian.org/debian-lts-announce/2019/03/msg00024.htmlMailing List, Third Party Advisory
• https://lists.debian.org/debian-lts-announce/2019/04/msg00000.htmlMailing List, Third Party Advisory
• https://seclists.org/bugtraq/2019/Apr/0Mailing List, Third Party Advisory
• https://seclists.org/bugtraq/2019/Mar/28Mailing List, Third Party Advisory
• https://security.gentoo.org/glsa/201904-07Third Party Advisory
• https://usn.ubuntu.com/3874-1/Third Party Advisory
• https://usn.ubuntu.com/3927-1/Third Party Advisory
• https://www.debian.org/security/2019/dsa-4411Third Party Advisory
• https://www.debian.org/security/2019/dsa-4420Third Party Advisory
• https://www.mozilla.org/security/advisories/mfsa2019-01/Vendor Advisory

Published

Feb 5, 2019

Last Modified

Jun 17, 2026

Status

Modified