CVE-2017-5451 — Improper Input Validation in Mozilla Firefox

CWE-20 — Improper Input Validation13 documents8 sources

Severity

4.3MEDIUMNVD

OSV9.8

EPSS

0.6%

top 31.97%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Mozilla Firefox ESR Mozilla Thunderbird +6 more

Timeline

PublishedJun 11

Latest updateMay 14

Description

A mechanism to spoof the addressbar through the user interaction on the addressbar and the "onblur" event. The event could be used by script to affect text display to make the loaded site appear to be different from the one actually loaded within the addressbar. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 52.1, and Firefox < 53.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages10 packages

▶CVEListV5mozilla/firefoxunspecified — 53

▶NVDmozilla/firefox< 53.0+1

▶CVEListV5mozilla/firefox_esrunspecified — 52.1

▶Ubuntumozilla/firefox< 53.0+build6-0ubuntu0.14.04.1+3

▶CVEListV5mozilla/thunderbirdunspecified — 52.1

Also affects: Enterprise Linux 6.0, 7.0, 7.3, 7.4, 7.5

Patches

Patch: bugzilla.mozilla.org ↗Patch: bugzilla.mozilla.org ↗

🔴Vulnerability Details

GHSA

GHSA-vvjr-2r7m-cm7q: A mechanism to spoof the addressbar through the user interaction on the addressbar and the "onblur" event↗2022-05-14

▶

CVEList

CVE-2017-5451: A mechanism to spoof the addressbar through the user interaction on the addressbar and the "onblur" event↗2018-06-11

▶

OSV

thunderbird vulnerabilities↗2017-05-16

▶

OSV

firefox regression↗2017-05-11

▶

OSV

firefox vulnerabilities↗2017-04-21

▶

📋Vendor Advisories

Ubuntu

Thunderbird vulnerabilities↗2017-05-16

▶

Ubuntu

Firefox regression↗2017-05-11

▶

Ubuntu

Firefox vulnerabilities↗2017-04-21

▶

Red Hat

Mozilla: Addressbar spoofing with onblur event (MFSA 2017-12)↗2017-04-19

▶

Debian

CVE-2017-5451: firefox - A mechanism to spoof the addressbar through the user interaction on the addressb...↗2017

▶

💬Community

Bugzilla

CVE-2017-5451 Mozilla: Addressbar spoofing with onblur event (MFSA 2017-12)↗2017-04-19

▶