CVE-2016-5268 — Firefox vulnerability

CWE-2548 documents7 sources

Severity

4.3MEDIUMNVD

OSV9.8

EPSS

0.4%

top 36.65%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Debian Firefox Debian Firefox-esr

Timeline

PublishedAug 5

Latest updateMay 17

Description

Mozilla Firefox before 48.0 does not properly set the LINKABLE and URI_SAFE_FOR_UNTRUSTED_CONTENT flags of about: URLs that are used for error pages, which makes it easier for remote attackers to conduct spoofing attacks via a crafted URL, as demonstrated by misleading text after an about:neterror?d= substring.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages4 packages

▶Ubuntumozilla/firefox< 48.0+build2-0ubuntu0.14.04.1+1

▶NVDmozilla/firefox47.0.1

▶debiandebian/firefox< firefox 48.0-1 (sid)

▶debiandebian/firefox-esr< firefox 48.0-1 (sid)

🔴Vulnerability Details

GHSA

GHSA-j5jj-f68h-7qh9: Mozilla Firefox before 48↗2022-05-17

▶

OSV

firefox vulnerabilities↗2016-08-05

▶

OSV

CVE-2016-5268: Mozilla Firefox before 48↗2016-08-03

▶

📋Vendor Advisories

Ubuntu

Firefox vulnerabilities↗2016-08-05

▶

Red Hat

Mozilla: Spoofing attack through text injection into internal error pages (MFSA 2016-83)↗2016-08-02

▶

Debian

CVE-2016-5268: firefox - Mozilla Firefox before 48.0 does not properly set the LINKABLE and URI_SAFE_FOR_...↗2016

▶

💬Community

Bugzilla

CVE-2016-5268 Mozilla: Spoofing attack through text injection into internal error pages (MFSA 2016-83)↗2016-08-01

▶