CVE-2016-1949 — Firefox vulnerability

CWE-2648 documents7 sources

Severity

8.8HIGHNVD

EPSS

0.2%

top 60.52%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Debian Firefox Debian Firefox-esr

Timeline

PublishedFeb 13

Latest updateMay 17

Description

Mozilla Firefox before 44.0.2 does not properly restrict the interaction between Service Workers and plugins, which allows remote attackers to bypass the Same Origin Policy via a crafted web site that triggers spoofed responses to requests that use NPAPI, as demonstrated by a request for a crossdomain.xml file.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages4 packages

▶Ubuntumozilla/firefox< 44.0.2+build1-0ubuntu0.14.04.1

▶NVDmozilla/firefox44.0.1

▶debiandebian/firefox< firefox 45.0-1 (sid)

▶debiandebian/firefox-esr< firefox 45.0-1 (sid)

🔴Vulnerability Details

GHSA

GHSA-gvh4-3r7j-cv8q: Mozilla Firefox before 44↗2022-05-17

▶

OSV

CVE-2016-1949: Mozilla Firefox before 44↗2016-02-13

▶

OSV

firefox vulnerability↗2016-02-11

▶

📋Vendor Advisories

Red Hat

firefox: Same-origin-policy violation using Service Workers with plugins↗2016-02-11

▶

Ubuntu

Firefox vulnerability↗2016-02-11

▶

Debian

CVE-2016-1949: firefox - Mozilla Firefox before 44.0.2 does not properly restrict the interaction between...↗2016

▶

💬Community

Bugzilla

CVE-2016-1949 firefox: Same-origin-policy violation using Service Workers with plugins↗2016-02-11

▶