CVE-2016-1949
published 2016-02-13CVE-2016-1949: Mozilla Firefox before 44.0.2 does not properly restrict the interaction between Service Workers and plugins, which allows remote attackers to bypass the Same…
PriorityP336high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EPSS
1.50%
71.2th percentile
Mozilla Firefox before 44.0.2 does not properly restrict the interaction between Service Workers and plugins, which allows remote attackers to bypass the Same Origin Policy via a crafted web site that triggers spoofed responses to requests that use NPAPI, as demonstrated by a request for a crossdomain.xml file.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | firefox | < firefox 45.0-1 (sid) | firefox 45.0-1 (sid) |
| debian | firefox-esr | < firefox 45.0-1 (sid) | firefox 45.0-1 (sid) |
| mozilla | firefox | <= 44.0.1 | — |
| mozilla | firefox | >= 0 < 44.0.2+build1-0ubuntu0.14.04.1 | 44.0.2+build1-0ubuntu0.14.04.1 |
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv8.8HIGH
vendor_debian8.8HIGH
vendor_redhat8.8HIGH
vendor_ubuntu8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
firefox: Same-origin-policy violation using Service Workers with plugins
vendor_redhat·2016-02-11·CVSS 8.8
CVE-2016-1949 [HIGH] firefox: Same-origin-policy violation using Service Workers with plugins
firefox: Same-origin-policy violation using Service Workers with plugins
Mozilla Firefox before 44.0.2 does not properly restrict the interaction between Service Workers and plugins, which allows remote attackers to bypass the Same Origin Policy via a crafted web site that triggers spoofed responses to requests that use NPAPI, as demonstrated by a request for a crossdomain.xml file.
Statement: This issue does not affect the versions of Firefox shipped with Red Hat Enterprise Linux 5, 6 and 7.
Package: firefox (Red Hat Enterprise Linux 5) - Not affected
Package: firefox (Red Hat Enterprise Linux 6) - Not affected
Package: firefox (Red Hat Enterprise Linux 7) - Not affected
Ubuntu
Firefox vulnerability
vendor_ubuntu·2016-02-11·CVSS 8.8
CVE-2016-1949 [HIGH] Firefox vulnerability
Title: Firefox vulnerability
Summary: A same-origin-policy bypass was discovered in Firefox.
Jason Pang discovered that service workers intercept responses to plugin
network requests made through the browser. An attacker could potentially
exploit this to bypass same origin restrictions using the Flash plugin.
(CVE-2016-1949)
Instructions: After a standard system update you need to restart Firefox to make
all the necessary changes.
Debian
CVE-2016-1949: firefox - Mozilla Firefox before 44.0.2 does not properly restrict the interaction between...
vendor_debian·2016·CVSS 8.8
CVE-2016-1949 [HIGH] CVE-2016-1949: firefox - Mozilla Firefox before 44.0.2 does not properly restrict the interaction between...
Mozilla Firefox before 44.0.2 does not properly restrict the interaction between Service Workers and plugins, which allows remote attackers to bypass the Same Origin Policy via a crafted web site that triggers spoofed responses to requests that use NPAPI, as demonstrated by a request for a crossdomain.xml file.
Scope: local
sid: resolved (fixed in 45.0-1)
GHSA
GHSA-gvh4-3r7j-cv8q: Mozilla Firefox before 44
ghsa_unreviewed·2022-05-17
CVE-2016-1949 [HIGH] GHSA-gvh4-3r7j-cv8q: Mozilla Firefox before 44
Mozilla Firefox before 44.0.2 does not properly restrict the interaction between Service Workers and plugins, which allows remote attackers to bypass the Same Origin Policy via a crafted web site that triggers spoofed responses to requests that use NPAPI, as demonstrated by a request for a crossdomain.xml file.
OSV
CVE-2016-1949: Mozilla Firefox before 44
osv·2016-02-13·CVSS 8.8
CVE-2016-1949 [HIGH] CVE-2016-1949: Mozilla Firefox before 44
Mozilla Firefox before 44.0.2 does not properly restrict the interaction between Service Workers and plugins, which allows remote attackers to bypass the Same Origin Policy via a crafted web site that triggers spoofed responses to requests that use NPAPI, as demonstrated by a request for a crossdomain.xml file.
OSV
firefox vulnerability
osv·2016-02-11·CVSS 8.8
CVE-2016-1949 [HIGH] firefox vulnerability
firefox vulnerability
Jason Pang discovered that service workers intercept responses to plugin
network requests made through the browser. An attacker could potentially
exploit this to bypass same origin restrictions using the Flash plugin.
(CVE-2016-1949)
No detection rules found.
No public exploits indexed.
http://lists.opensuse.org/opensuse-updates/2016-02/msg00102.htmlhttp://lists.opensuse.org/opensuse-updates/2016-02/msg00142.htmlhttp://www.mozilla.org/security/announce/2016/mfsa2016-13.htmlhttp://www.securitytracker.com/id/1035007http://www.ubuntu.com/usn/USN-2893-1https://bugzilla.mozilla.org/show_bug.cgi?id=1245724https://security.gentoo.org/glsa/201605-06http://lists.opensuse.org/opensuse-updates/2016-02/msg00102.htmlhttp://lists.opensuse.org/opensuse-updates/2016-02/msg00142.htmlhttp://www.mozilla.org/security/announce/2016/mfsa2016-13.htmlhttp://www.securitytracker.com/id/1035007http://www.ubuntu.com/usn/USN-2893-1https://bugzilla.mozilla.org/show_bug.cgi?id=1245724https://security.gentoo.org/glsa/201605-06
2016-02-13
Published