CVE-2016-1955

CWE-200 — Information Exposure10 documents8 sources

Severity

4.3MEDIUM

EPSS

0.5%

top 32.08%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Novell Suse Package HUB FOR Suse Linux Enterprise Opensuse Leap +1 more

Timeline

PublishedMar 13

Latest updateMay 14

Description

Mozilla Firefox before 45.0 allows remote attackers to bypass the Same Origin Policy and obtain sensitive information by reading a Content Security Policy (CSP) violation report that contains path information associated with an IFRAME element.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages5 packages

▶NVDmozilla/firefox44.0.2

▶Debianfirefox-esr< 45.0esr-1+3

▶NVDopensuse/leap42.1

▶NVDopensuse/opensuse13.1, 13.2+1

▶NVDnovell/suse_package_hub12

🔴Vulnerability Details

GHSA

GHSA-7wm7-jf3h-3qcw: Mozilla Firefox before 45↗2022-05-14

▶

CVEList

CVE-2016-1955: Mozilla Firefox before 45↗2016-03-13

▶

OSV

CVE-2016-1955: Mozilla Firefox before 45↗2016-03-13

▶

📋Vendor Advisories

Red Hat

httpd: Billion laughs attack regression↗2016-08-04

▶

Ubuntu

Firefox vulnerabilities↗2016-03-09

▶

Red Hat

Mozilla: CSP reports fail to strip location information for embedded iframe pages (MFSA 2016-18)↗2016-03-08

▶

Debian

CVE-2016-1955: firefox - Mozilla Firefox before 45.0 allows remote attackers to bypass the Same Origin Po...↗2016

▶

💬Community

Bugzilla

CVE-2016-6312 apr-util, httpd: Billion laughs attack regression↗2016-08-04

▶

Bugzilla

CVE-2016-1955 Mozilla: CSP reports fail to strip location information for embedded iframe pages (MFSA 2016-18)↗2016-03-08

▶