CVE-2016-5282
published 2016-09-22CVE-2016-5282: Mozilla Firefox before 49.0 does not properly restrict the scheme in favicon requests, which might allow remote attackers to obtain sensitive information via…
PriorityP429medium6.5CVSS 3.0
AVNACLPRNUIRSUCHINAN
EPSS
1.61%
73.0th percentile
Mozilla Firefox before 49.0 does not properly restrict the scheme in favicon requests, which might allow remote attackers to obtain sensitive information via unspecified vectors, as demonstrated by a jar: URL for a favicon resource.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | firefox | < firefox 49.0-1 (sid) | firefox 49.0-1 (sid) |
| debian | firefox-esr | < firefox 49.0-1 (sid) | firefox 49.0-1 (sid) |
| mozilla | firefox | <= 48.0.2 | — |
| mozilla | firefox | >= 0 < 49.0+build4-0ubuntu0.14.04.1 | 49.0+build4-0ubuntu0.14.04.1 |
| mozilla | firefox | >= 0 < 49.0+build4-0ubuntu0.16.04.1 | 49.0+build4-0ubuntu0.16.04.1 |
CVSS provenance
nvdv3.06.5MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:N
osv6.5MEDIUM
vendor_debian6.5MEDIUM
vendor_redhat6.5MEDIUM
vendor_ubuntu6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-gf3r-ccj6-h68v: Mozilla Firefox before 49
ghsa_unreviewed·2022-05-17
CVE-2016-5282 [MEDIUM] CWE-200 GHSA-gf3r-ccj6-h68v: Mozilla Firefox before 49
Mozilla Firefox before 49.0 does not properly restrict the scheme in favicon requests, which might allow remote attackers to obtain sensitive information via unspecified vectors, as demonstrated by a jar: URL for a favicon resource.
OSV
CVE-2016-5282: Mozilla Firefox before 49
osv·2016-09-22·CVSS 6.5
CVE-2016-5282 [MEDIUM] CVE-2016-5282: Mozilla Firefox before 49
Mozilla Firefox before 49.0 does not properly restrict the scheme in favicon requests, which might allow remote attackers to obtain sensitive information via unspecified vectors, as demonstrated by a jar: URL for a favicon resource.
OSV
firefox vulnerabilities
osv·2016-09-22·CVSS 6.5
CVE-2016-2827 [MEDIUM] firefox vulnerabilities
firefox vulnerabilities
Atte Kettunen discovered an out-of-bounds read when handling certain
Content Security Policy (CSP) directives in some circumstances. If a user
were tricked in to opening a specially crafted website, an attacker could
potentially exploit this to cause a denial of service via application
crash. (CVE-2016-2827)
Christoph Diehl, Christian Holler, Gary Kwong, Nathan Froyd, Honza Bambas,
Seth Fowler, Michael Smith, Andrew McCreight, Dan Minor, Byron Campen, Jon
Coppeard, Steve Fink, Tyson Smith, and Carsten Book discovered multiple
memory safety issues in Firefox. If a user were tricked in to opening a
specially crafted website, an attacker could potentially exploit these to
cause a denial of service via application crash, or execute arbitrary
code. (CVE-2016-5256, CVE-
Ubuntu
Firefox vulnerabilities
vendor_ubuntu·2016-09-22·CVSS 6.5
CVE-2016-2827 [MEDIUM] Firefox vulnerabilities
Title: Firefox vulnerabilities
Summary: Firefox could be made to crash or run programs as your login if it
opened a malicious website.
Atte Kettunen discovered an out-of-bounds read when handling certain
Content Security Policy (CSP) directives in some circumstances. If a user
were tricked in to opening a specially crafted website, an attacker could
potentially exploit this to cause a denial of service via application
crash. (CVE-2016-2827)
Christoph Diehl, Christian Holler, Gary Kwong, Nathan Froyd, Honza Bambas,
Seth Fowler, Michael Smith, Andrew McCreight, Dan Minor, Byron Campen, Jon
Coppeard, Steve Fink, Tyson Smith, and Carsten Book discovered multiple
memory safety issues in Firefox. If a user were tricked in to opening a
specially crafted website, an attacker could potentially e
Red Hat
Mozilla: Don't allow content to request favicons from non-whitelisted schemes (MFSA 2016-85)
vendor_redhat·2016-09-20·CVSS 6.5
CVE-2016-5282 [MEDIUM] Mozilla: Don't allow content to request favicons from non-whitelisted schemes (MFSA 2016-85)
Mozilla: Don't allow content to request favicons from non-whitelisted schemes (MFSA 2016-85)
Mozilla Firefox before 49.0 does not properly restrict the scheme in favicon requests, which might allow remote attackers to obtain sensitive information via unspecified vectors, as demonstrated by a jar: URL for a favicon resource.
Package: firefox (Red Hat Enterprise Linux 5) - Not affected
Package: thunderbird (Red Hat Enterprise Linux 5) - Not affected
Package: firefox (Red Hat Enterprise Linux 6) - Not affected
Package: thunderbird (Red Hat Enterprise Linux 6) - Not affected
Package: firefox (Red Hat Enterprise Linux 7) - Not affected
Package: thunderbird (Red Hat Enterprise Linux 7) - Not affected
Debian
CVE-2016-5282: firefox - Mozilla Firefox before 49.0 does not properly restrict the scheme in favicon req...
vendor_debian·2016·CVSS 6.5
CVE-2016-5282 [MEDIUM] CVE-2016-5282: firefox - Mozilla Firefox before 49.0 does not properly restrict the scheme in favicon req...
Mozilla Firefox before 49.0 does not properly restrict the scheme in favicon requests, which might allow remote attackers to obtain sensitive information via unspecified vectors, as demonstrated by a jar: URL for a favicon resource.
Scope: local
sid: resolved (fixed in 49.0-1)
No detection rules found.
No public exploits indexed.
http://www.mozilla.org/security/announce/2016/mfsa2016-85.htmlhttp://www.securityfocus.com/bid/93052http://www.securitytracker.com/id/1036852https://bugzilla.mozilla.org/show_bug.cgi?id=932335https://security.gentoo.org/glsa/201701-15http://www.mozilla.org/security/announce/2016/mfsa2016-85.htmlhttp://www.securityfocus.com/bid/93052http://www.securitytracker.com/id/1036852https://bugzilla.mozilla.org/show_bug.cgi?id=932335https://security.gentoo.org/glsa/201701-15
2016-09-22
Published