CVE-2016-9075 — Mozilla Firefox vulnerability

CWE-2648 documents7 sources

Severity

9.8CRITICALNVD

EPSS

2.6%

top 14.48%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Debian Firefox Debian Firefox-esr

Timeline

PublishedJun 11

Latest updateMay 14

Description

An issue where WebExtensions can use the mozAddonManager API to elevate privilege due to privileged pages being allowed in the permissions list. This allows a malicious extension to then install additional extensions without explicit user permission. This vulnerability affects Firefox < 50.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages5 packages

▶debiandebian/firefox< firefox 50.0-1 (sid)

▶CVEListV5mozilla/firefoxunspecified — 50

▶NVDmozilla/firefox< 50.0

▶debiandebian/firefox-esr< firefox 50.0-1 (sid)

▶Ubuntumozilla/firefox< 50.0+build2-0ubuntu0.14.04.2+1

🔴Vulnerability Details

GHSA

GHSA-vf79-gc8c-5h95: An issue where WebExtensions can use the mozAddonManager API to elevate privilege due to privileged pages being allowed in the permissions list↗2022-05-14

▶

OSV

firefox vulnerabilities↗2016-11-19

▶

OSV

CVE-2016-9075: An issue where WebExtensions can use the mozAddonManager API to elevate privilege due to privileged pages being allowed in the permissions list↗2016-11-17

▶

📋Vendor Advisories

Ubuntu

Firefox vulnerabilities↗2016-11-19

▶

Red Hat

Mozilla: WebExtensions can access the mozAddonManager API and use it to gain elevated privileges (MFSA 2016-89)↗2016-11-15

▶

Debian

CVE-2016-9075: firefox - An issue where WebExtensions can use the mozAddonManager API to elevate privileg...↗2016

▶

💬Community

Bugzilla

CVE-2016-9075 Mozilla: WebExtensions can access the mozAddonManager API and use it to gain elevated privileges (MFSA 2016-89)↗2016-11-15

▶