CVE-2016-5250
published 2016-08-05CVE-2016-5250: Mozilla Firefox before 48.0, Firefox ESR < 45.4 and Thunderbird < 45.4 allow remote attackers to obtain sensitive information about the previously retrieved…
PriorityP416medium4.3CVSS 3.0
AVNACLPRNUIRSUCLINAN
EPSS
2.23%
80.6th percentile
Mozilla Firefox before 48.0, Firefox ESR < 45.4 and Thunderbird < 45.4 allow remote attackers to obtain sensitive information about the previously retrieved page via Resource Timing API calls.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | firefox | < firefox 48.0-1 (sid) | firefox 48.0-1 (sid) |
| debian | firefox-esr | < firefox 48.0-1 (sid) | firefox 48.0-1 (sid) |
| mozilla | firefox | <= 47.0.1 | — |
| mozilla | firefox | >= 0 < 48.0+build2-0ubuntu0.14.04.1 | 48.0+build2-0ubuntu0.14.04.1 |
| mozilla | firefox | >= 0 < 48.0+build2-0ubuntu0.16.04.1 | 48.0+build2-0ubuntu0.16.04.1 |
| mozilla | thunderbird | >= 0 < 1:45.4.0+build1-0ubuntu0.14.04.1 | 1:45.4.0+build1-0ubuntu0.14.04.1 |
| mozilla | thunderbird | >= 0 < 1:45.4.0+build1-0ubuntu0.16.04.1 | 1:45.4.0+build1-0ubuntu0.16.04.1 |
CVSS provenance
nvdv3.04.3MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
osv9.8CRITICAL
vendor_ubuntu9.8CRITICAL
vendor_debian4.3MEDIUM
vendor_redhat4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Thunderbird vulnerabilities
vendor_ubuntu·2016-10-27·CVSS 4.3
CVE-2016-5250 [MEDIUM] Thunderbird vulnerabilities
Title: Thunderbird vulnerabilities
Summary: Several security issues were fixed in Thunderbird.
Catalin Dumitru discovered that URLs of resources loaded after a
navigation start could be leaked to the following page via the Resource
Timing API. If a user were tricked in to opening a specially crafted
website in a browsing context, an attacker could potentially exploit this
to obtain sensitive information. (CVE-2016-5250)
Christoph Diehl, Andrew McCreight, Dan Minor, Byron Campen, Jon Coppeard,
Steve Fink, Tyson Smith, and Carsten Book discovered multiple memory
safety issues in Thunderbird. If a user were tricked in to opening a
specially crafted message, an attacker could potentially exploit these to
cause a denial of service via application crash, or execute arbitrary
code. (CVE-2016-5
Red Hat
Mozilla: Resource Timing API is storing resources sent by the previous page (MFSA 2016-84, MFSA 2016-86)
vendor_redhat·2016-09-20·CVSS 4.3
CVE-2016-5250 [MEDIUM] Mozilla: Resource Timing API is storing resources sent by the previous page (MFSA 2016-84, MFSA 2016-86)
Mozilla: Resource Timing API is storing resources sent by the previous page (MFSA 2016-84, MFSA 2016-86)
Mozilla Firefox before 48.0, Firefox ESR < 45.4 and Thunderbird < 45.4 allow remote attackers to obtain sensitive information about the previously retrieved page via Resource Timing API calls.
Package: thunderbird (Red Hat Enterprise Linux 5) - Not affected
Package: thunderbird (Red Hat Enterprise Linux 6) - Not affected
Package: thunderbird (Red Hat Enterprise Linux 7) - Not affected
Ubuntu
Firefox vulnerabilities
vendor_ubuntu·2016-08-05·CVSS 9.8
CVE-2016-0718 [CRITICAL] Firefox vulnerabilities
Title: Firefox vulnerabilities
Summary: Firefox could be made to crash or run programs as your login if it
opened a malicious website.
Gustavo Grieco discovered an out-of-bounds read during XML parsing in
some circumstances. If a user were tricked in to opening a specially
crafted website, an attacker could potentially exploit this to cause a
denial of service via application crash, or obtain sensitive information.
(CVE-2016-0718)
Toni Huttunen discovered that once a favicon is requested from a site,
the remote server can keep the network connection open even after the page
is closed. A remote attacked could potentially exploit this to track
users, resulting in information disclosure. (CVE-2016-2830)
Christian Holler, Tyson Smith, Boris Zbarsky, Byron Campen, Julian Seward,
Carsten Boo
Debian
CVE-2016-5250: firefox - Mozilla Firefox before 48.0, Firefox ESR < 45.4 and Thunderbird < 45.4 allow rem...
vendor_debian·2016·CVSS 4.3
CVE-2016-5250 [MEDIUM] CVE-2016-5250: firefox - Mozilla Firefox before 48.0, Firefox ESR < 45.4 and Thunderbird < 45.4 allow rem...
Mozilla Firefox before 48.0, Firefox ESR < 45.4 and Thunderbird < 45.4 allow remote attackers to obtain sensitive information about the previously retrieved page via Resource Timing API calls.
Scope: local
sid: resolved (fixed in 48.0-1)
GHSA
GHSA-w8fm-f723-jm45: Mozilla Firefox before 48
ghsa_unreviewed·2022-05-14
CVE-2016-5250 [MEDIUM] CWE-200 GHSA-w8fm-f723-jm45: Mozilla Firefox before 48
Mozilla Firefox before 48.0, Firefox ESR < 45.4 and Thunderbird < 45.4 allow remote attackers to obtain sensitive information about the previously retrieved page via Resource Timing API calls.
OSV
thunderbird vulnerabilities
osv·2016-10-27·CVSS 4.3
CVE-2016-5250 [MEDIUM] thunderbird vulnerabilities
thunderbird vulnerabilities
Catalin Dumitru discovered that URLs of resources loaded after a
navigation start could be leaked to the following page via the Resource
Timing API. If a user were tricked in to opening a specially crafted
website in a browsing context, an attacker could potentially exploit this
to obtain sensitive information. (CVE-2016-5250)
Christoph Diehl, Andrew McCreight, Dan Minor, Byron Campen, Jon Coppeard,
Steve Fink, Tyson Smith, and Carsten Book discovered multiple memory
safety issues in Thunderbird. If a user were tricked in to opening a
specially crafted message, an attacker could potentially exploit these to
cause a denial of service via application crash, or execute arbitrary
code. (CVE-2016-5257)
Atte Kettunen discovered a heap buffer overflow during text co
OSV
CVE-2016-5250: Mozilla Firefox before 48
osv·2016-08-05·CVSS 4.3
CVE-2016-5250 [MEDIUM] CVE-2016-5250: Mozilla Firefox before 48
Mozilla Firefox before 48.0, Firefox ESR < 45.4 and Thunderbird < 45.4 allow remote attackers to obtain sensitive information about the previously retrieved page via Resource Timing API calls.
OSV
firefox vulnerabilities
osv·2016-08-05·CVSS 9.8
CVE-2016-0718 [CRITICAL] firefox vulnerabilities
firefox vulnerabilities
Gustavo Grieco discovered an out-of-bounds read during XML parsing in
some circumstances. If a user were tricked in to opening a specially
crafted website, an attacker could potentially exploit this to cause a
denial of service via application crash, or obtain sensitive information.
(CVE-2016-0718)
Toni Huttunen discovered that once a favicon is requested from a site,
the remote server can keep the network connection open even after the page
is closed. A remote attacked could potentially exploit this to track
users, resulting in information disclosure. (CVE-2016-2830)
Christian Holler, Tyson Smith, Boris Zbarsky, Byron Campen, Julian Seward,
Carsten Book, Gary Kwong, Jesse Ruderman, Andrew McCreight, and Phil
Ringnalda discovered multiple memory safety issues in
No detection rules found.
No public exploits indexed.
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00004.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-08/msg00029.htmlhttp://rhn.redhat.com/errata/RHSA-2016-1912.htmlhttp://www.debian.org/security/2016/dsa-3674http://www.mozilla.org/security/announce/2016/mfsa2016-84.htmlhttp://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.htmlhttp://www.securityfocus.com/bid/92260http://www.securitytracker.com/id/1036508http://www.ubuntu.com/usn/USN-3044-1https://bugzilla.mozilla.org/show_bug.cgi?id=1254688https://security.gentoo.org/glsa/201701-15https://www.mozilla.org/security/advisories/mfsa2016-86/https://www.mozilla.org/security/advisories/mfsa2016-88/http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00004.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-08/msg00029.htmlhttp://rhn.redhat.com/errata/RHSA-2016-1912.htmlhttp://www.debian.org/security/2016/dsa-3674http://www.mozilla.org/security/announce/2016/mfsa2016-84.htmlhttp://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.htmlhttp://www.securityfocus.com/bid/92260http://www.securitytracker.com/id/1036508http://www.ubuntu.com/usn/USN-3044-1https://bugzilla.mozilla.org/show_bug.cgi?id=1254688https://security.gentoo.org/glsa/201701-15https://www.mozilla.org/security/advisories/mfsa2016-86/https://www.mozilla.org/security/advisories/mfsa2016-88/
2016-08-05
Published