CVE-2016-5260 — Sensitive Information Exposure in Firefox

CWE-200 — Sensitive Information Exposure8 documents7 sources

Severity

6.5MEDIUMNVD

OSV9.8

EPSS

0.6%

top 30.36%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Debian Firefox Debian Firefox-esr

Timeline

PublishedAug 5

Latest updateMay 17

Description

Mozilla Firefox before 48.0 mishandles changes from 'INPUT type="password"' to 'INPUT type="text"' within a single Session Manager session, which might allow attackers to discover cleartext passwords by reading a session restoration file.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages4 packages

▶Ubuntumozilla/firefox< 48.0+build2-0ubuntu0.14.04.1+1

▶NVDmozilla/firefox47.0.1

▶debiandebian/firefox< firefox 48.0-1 (sid)

▶debiandebian/firefox-esr< firefox 48.0-1 (sid)

🔴Vulnerability Details

GHSA

GHSA-38xv-6f7m-5xxq: Mozilla Firefox before 48↗2022-05-17

▶

OSV

firefox vulnerabilities↗2016-08-05

▶

OSV

CVE-2016-5260: Mozilla Firefox before 48↗2016-08-03

▶

📋Vendor Advisories

Ubuntu

Firefox vulnerabilities↗2016-08-05

▶

Red Hat

Mozilla: Form input type change from password to text can store plain text password in session restore file (MFSA 2016-74)↗2016-08-02

▶

Debian

CVE-2016-5260: firefox - Mozilla Firefox before 48.0 mishandles changes from 'INPUT type="password"' to '...↗2016

▶

💬Community

Bugzilla

CVE-2016-5260 Mozilla: Form input type change from password to text can store plain text password in session restore file (MFSA 2016-74)↗2016-08-01

▶