CVE-2017-5386 — Improper Privilege Management in Mozilla Firefox
11 documents8 sources
Severity
7.3HIGHNVD
OSV9.8
EPSS
1.2%
top 21.18%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedJun 11
Latest updateMay 13
Description
WebExtension scripts can use the "data:" protocol to affect pages loaded by other web extensions using this protocol, leading to potential data disclosure or privilege escalation in affected extensions. This vulnerability affects Firefox ESR < 45.7 and Firefox < 51.
CVSS vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:LExploitability: 3.9 | Impact: 3.4
Affected Packages7 packages
Also affects: Debian Linux 8.0, Enterprise Linux 5.0, 6.0, 7.0, 7.3, 7.4, 7.5
Patches
🔴Vulnerability Details
5GHSA▶
GHSA-mjv5-g7c5-w9hq: WebExtension scripts can use the "data:" protocol to affect pages loaded by other web extensions using this protocol, leading to potential data disclo↗2022-05-13
CVEList▶
CVE-2017-5386: WebExtension scripts can use the "data:" protocol to affect pages loaded by other web extensions using this protocol, leading to potential data disclo↗2018-06-11
OSV▶
CVE-2017-5386: WebExtension scripts can use the "data:" protocol to affect pages loaded by other web extensions using this protocol, leading to potential data disclo↗2018-06-11
📋Vendor Advisories
4Red Hat
▶
Debian▶
CVE-2017-5386: firefox - WebExtension scripts can use the "data:" protocol to affect pages loaded by othe...↗2017
💬Community
1Bugzilla▶
CVE-2017-5386 Mozilla: WebExtensions can use data: protocol to affect other extensions (MFSA 2017-02)↗2017-01-25