CVE-2017-5393 — Cross-site Scripting in Mozilla Firefox

CWE-79 — Cross-site Scripting8 documents5 sources

Severity

6.1MEDIUMNVD

OSV9.8

EPSS

0.5%

top 35.57%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Debian Firefox Debian Firefox-esr

Timeline

PublishedJun 11

Latest updateMay 14

Description

The "mozAddonManager" allows for the installation of extensions from the CDN for addons.mozilla.org, a publicly accessible site. This could allow malicious extensions to install additional extensions from the CDN in combination with an XSS attack on Mozilla AMO sites. This vulnerability affects Firefox < 51.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages5 packages

▶CVEListV5mozilla/firefoxunspecified — 51

▶NVDmozilla/firefox< 51.0

▶Ubuntumozilla/firefox< 51.0.1+build2-0ubuntu0.14.04.1+3

▶debiandebian/firefox< firefox 51.0-1 (sid)

▶debiandebian/firefox-esr< firefox 51.0-1 (sid)

🔴Vulnerability Details

GHSA

GHSA-q77m-7m77-g2rw: The "mozAddonManager" allows for the installation of extensions from the CDN for addons↗2022-05-14

▶

OSV

firefox regression↗2017-02-06

▶

OSV

firefox vulnerabilities↗2017-01-27

▶

OSV

CVE-2017-5393: The "mozAddonManager" allows for the installation of extensions from the CDN for addons↗2017-01-25

▶

📋Vendor Advisories

Ubuntu

Firefox regression↗2017-02-06

▶

Ubuntu

Firefox vulnerabilities↗2017-01-27

▶

Debian

CVE-2017-5393: firefox - The "mozAddonManager" allows for the installation of extensions from the CDN for...↗2017

▶