CVE-2016-5282 — Sensitive Information Exposure in Firefox

CWE-200 — Sensitive Information Exposure8 documents7 sources

Severity

6.5MEDIUMNVD

EPSS

0.4%

top 39.69%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Debian Firefox Debian Firefox-esr

Timeline

PublishedSep 22

Latest updateMay 17

Description

Mozilla Firefox before 49.0 does not properly restrict the scheme in favicon requests, which might allow remote attackers to obtain sensitive information via unspecified vectors, as demonstrated by a jar: URL for a favicon resource.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages4 packages

▶Ubuntumozilla/firefox< 49.0+build4-0ubuntu0.14.04.1+1

▶NVDmozilla/firefox48.0.2

▶debiandebian/firefox< firefox 49.0-1 (sid)

▶debiandebian/firefox-esr< firefox 49.0-1 (sid)

🔴Vulnerability Details

GHSA

GHSA-gf3r-ccj6-h68v: Mozilla Firefox before 49↗2022-05-17

▶

OSV

CVE-2016-5282: Mozilla Firefox before 49↗2016-09-22

▶

OSV

firefox vulnerabilities↗2016-09-22

▶

📋Vendor Advisories

Ubuntu

Firefox vulnerabilities↗2016-09-22

▶

Red Hat

Mozilla: Don't allow content to request favicons from non-whitelisted schemes (MFSA 2016-85)↗2016-09-20

▶

Debian

CVE-2016-5282: firefox - Mozilla Firefox before 49.0 does not properly restrict the scheme in favicon req...↗2016

▶

💬Community

Bugzilla

CVE-2016-5282 Mozilla: Don't allow content to request favicons from non-whitelisted schemes (MFSA 2016-85)↗2016-09-20

▶